Display namespace for ServiceAccount while running `rbac-tool policy-rules -e default` #112

fjammes · 2024-07-04T08:50:24Z

In the command below and on a large cluster there can be a lot of ServiceAccount named default which have different permissions, the current policy-rules command does not allow to know to which namespaces each of these service account belongs. Here is an example:

rbac-tool policy-rules -e default
  TYPE           | SUBJECT                                         | VERBS  | NAMESPACE   | API GROUP           | KIND                                  | NAMES                                                           | NONRESOURCEURI | ORIGINATED FROM                                                                 
-----------------+-------------------------------------------------+--------+-------------+---------------------+---------------------------------------+-----------------------------------------------------------------+----------------+---------------------------------------------------------------------------------
  Group          | system:bootstrappers:kubeadm:default-node-token | create | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | create | *           | certificates.k8s.io | certificatesigningrequests/nodeclient |                                                                 |                | ClusterRoles>>system:certificates.k8s.io:certificatesigningrequests:nodeclient  
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | *           | core                | nodes                                 |                                                                 |                | ClusterRoles>>kubeadm:get-nodes                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kube-proxy                                                      |                | Roles>>kube-system/kube-proxy                                                   
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kubeadm-config                                                  |                | Roles>>kube-system/kubeadm:nodes-kubeadm-config                                 
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kubelet-config                                                  |                | Roles>>kube-system/kubeadm:kubelet-config                                       
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | list   | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | watch  | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  ServiceAccount | default                                         | *      | *           |                     |                                       |                                                                 | *              | ClusterRoles>>cluster-admin                                                     
  ServiceAccount | default                                         | *      | *           | *                   | *                                     |                                                                 |                | ClusterRoles>>cluster-admin                                                     
  ServiceAccount | default                                         | create | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  ServiceAccount | default                                         | get    | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  ServiceAccount | default                                         | update | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |

There is two default service account in two different namespace and the user interface does not display this information. This is confusing.

The implemented feature, will display the SUBJECT with the following format: "namespace:serviceAccountName".

Here is an example for the same cluster:

rbac-tool policy-rules -e default
  TYPE           | SUBJECT                                         | VERBS  | NAMESPACE   | API GROUP           | KIND                                  | NAMES                                                           | NONRESOURCEURI | ORIGINATED FROM                                                                 
-----------------+-------------------------------------------------+--------+-------------+---------------------+---------------------------------------+-----------------------------------------------------------------+----------------+---------------------------------------------------------------------------------
  Group          | system:bootstrappers:kubeadm:default-node-token | create | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | create | *           | certificates.k8s.io | certificatesigningrequests/nodeclient |                                                                 |                | ClusterRoles>>system:certificates.k8s.io:certificatesigningrequests:nodeclient  
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | *           | core                | nodes                                 |                                                                 |                | ClusterRoles>>kubeadm:get-nodes                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kube-proxy                                                      |                | Roles>>kube-system/kube-proxy                                                   
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kubeadm-config                                                  |                | Roles>>kube-system/kubeadm:nodes-kubeadm-config                                 
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | get    | kube-system | core                | configmaps                            | kubelet-config                                                  |                | Roles>>kube-system/kubeadm:kubelet-config                                       
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  Group          | system:bootstrappers:kubeadm:default-node-token | list   | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  Group          | system:bootstrappers:kubeadm:default-node-token | watch  | *           | certificates.k8s.io | certificatesigningrequests            |                                                                 |                | ClusterRoles>>system:node-bootstrapper                                          
  ServiceAccount | monitoring:default                              | *      | *           |                     |                                       |                                                                 | *              | ClusterRoles>>cluster-admin                                                     
  ServiceAccount | monitoring:default                              | *      | *           | *                   | *                                     |                                                                 |                | ClusterRoles>>cluster-admin                                                     
  ServiceAccount | olm:default                                     | create | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  ServiceAccount | olm:default                                     | get    | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |                                                                                 
  ServiceAccount | olm:default                                     | update | olm         | core                | configmaps                            | 5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155 |                | Roles>>olm/5e5932a6bfa63515cdf4466e9d3d1442f14b290645ba0ee54de32b5c67d5155      
                 |                                                 |        |             |                     |                                       |                                                                 |                |

The text was updated successfully, but these errors were encountered:

fjammes linked a pull request Jul 4, 2024 that will close this issue

Display namespace when SUBJECT is a ServiceAccount #113

Open

gadinaor-r7 added good first issue Good for newcomers under review labels Jul 28, 2024

gadinaor-r7 linked a pull request Jul 28, 2024 that will close this issue

Display namespace when SUBJECT is a ServiceAccount #113

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Display namespace for ServiceAccount while running `rbac-tool policy-rules -e default` #112

Display namespace for ServiceAccount while running `rbac-tool policy-rules -e default` #112

fjammes commented Jul 4, 2024 •

edited

Loading

Display namespace for ServiceAccount while running rbac-tool policy-rules -e default #112

Display namespace for ServiceAccount while running rbac-tool policy-rules -e default #112

Comments

fjammes commented Jul 4, 2024 • edited Loading

Display namespace for ServiceAccount while running `rbac-tool policy-rules -e default` #112

Display namespace for ServiceAccount while running `rbac-tool policy-rules -e default` #112

fjammes commented Jul 4, 2024 •

edited

Loading