rokpoto | Modern Software Technology Blog | Containerize and Automate it all

Get user’s permissions using kubectl

Post author By rok
Post date March 31, 2023

Kubernetes supports RBAC authorization out of the box. In short, every Kubernetes user or a service account have permissions to perform certain actions (HTTP verbs) on certain API server resources e.g. pods. To get user’s permissions using kubectl run kubectl auth can-i --list:

Resources                                       Non-Resource URLs                     Resource Names              Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                                    []                          [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []                          [create]
persistentvolumeclaims                          []                                    []                          [get list watch create delete deletecollection patch update]
pods/exec                                       []                                    []                          [get list watch create delete deletecollection patch update]
pods                                            []                                    []                          [get list watch create delete deletecollection patch update]
events                                          []                                    []                          [get list watch]
pods/log                                        []                                    []                          [get list watch]
configmaps                                      []                                    []                          [get watch list]
                                                [/.well-known/openid-configuration]   []                          [get]
                                                [/api/*]                              []                          [get]
                                                [/api]                                []                          [get]
                                                [/apis/*]                             []                          [get]
                                                [/apis]                               []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/livez]                              []                          [get]
                                                [/livez]                              []                          [get]
                                                [/openapi/*]                          []                          [get]
                                                [/openapi]                            []                          [get]
                                                [/openid/v1/jwks]                     []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version]                            []                          [get]
                                                [/version]                            []                          [get]
podsecuritypolicies.policy                      []                                    [global-unrestricted-psp]   [use]

To view another user’s permissions add --as=[user-name] flag. For instance: kubectl auth can-i --list --as=jenkins.

To see a real world example, you can follow my tutorial on installing Jenkins helm chart and then see the permissions of Jenkins service account. Such permissions include creating pods on demand for Jenkins jobs. Have a look at this chart’s template to get a taste of how RBAC is configured.

If you are after more granular information on roles or cluster roles per service account, have a look at this great answer on stack overflow. It suggests using rbac-tool.

Also note that Kubernetes distinguishes between user and service accounts.

Summary

That’s it about getting user’s permissions using kubectl.

If you found this article useful, take a look at the disclaimer for information on how to thank me.

You can find below articles useful:

Tags kubectl, kubernetes

Automation DevOps

Kafka Producer and Consumer in Python

Post author By rok
Post date March 25, 2023

Today, I’ll demo Kafka producer and consumer written in Python. We’ll see a fully working demo of producer and consumer running against Kafka in a docker-compose stack.

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags docker, docker-compose, kafka, python

Automation CI/CD DevOps

Auto Tag Releases with Semantic Versions

Post author By rok
Post date March 20, 2023

If you developed modern CI/CD pipelines you probably stumbled on the need to auto tag releases with semantic versions. Today I’ll show how to do that automatically and which tools may help to achieve automatic tagging releases with semantic versions.

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags gitlab

Monitoring Orchestration

Monitor Spring Boot Apps using Prometheus on Kubernetes

Post author By rok
Post date February 11, 2023

Let’s discover how to monitor Spring Boot apps using Prometheus on Kubernetes clusters. Prometheus and the app will be deployed to different Kubernetes namespaces. So we’ll also see how using ExternalName Kubernetes service enables Prometheus to get metrics of Spring Boot Java app deployed to a different namespace.

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags kubernetes, linode, prometheus

Automation CI/CD DevOps

How to Create Kubernetes cluster on Linode using CLI

Post author By rok
Post date January 14, 2023

Today, I’ll show how to create Kubernetes cluster on Linode using CLI. It might be useful, for instance, for CI/CD, automation processes, etc…

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags kubectl, kubernetes, linode

Automation DevOps Orchestration

Create Kubernetes Operator using Ansible

Post author By rok
Post date January 14, 2023

Today, I’ll show how to create and use Kubernetes operator using Ansible. I’ll also explain why to use Kubernetes operators and their relation to Kubernetes CRDs. As always, I’ll show a demo. If you later find this article useful read the disclaimer on ways to thank me.

Tags kubernetes, operator, rabbitmq

Automation CI/CD DevOps

GitLab Self-Hosted Runners Demo

Post author By rok
Post date January 7, 2023

In this post we’ll see how and why to use GitLab self-hosted runners. As always, I’ll show a practical demo of GitLab self-hosted runner which runs jobs in CI/CD pipelines. If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags gitlab, kubernetes, linode

Automation CI/CD DevOps

Podman Jenkins Agent

Post author By rok
Post date December 16, 2022

Today, I’ll show Podman Jenkins agent assuming Jenkins runs on Kubernetes. We’ll see Podman agent’s Dockerfile and CI/CD pipeline using it.

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags docker, jenkins, kubernetes, linode

Automation DevOps

Migration from Jenkins to GitLab

Post author By rok
Post date December 10, 2022

Have you considered migration from Jenkins to GitLab? While working on CI/CD pipelines in Jenkins, you probably didn’t like coding them in Groovy. You wondered if any simpler CI/CD platform exists where you just have to worry about what commands to run in the pipelines. We’ll review important things to consider while planning migration from Jenkins to GitLab.

Tags gitlab, jenkins

DevOps quick q&a

Live reload Node.js app inside Docker container during development

Post author By rok
Post date December 7, 2022

You probably found yourself in a situation when building new docker image of Node.js web app (e.g. express) with the new changes takes a long time. All you wanted is to test your changes fast on a live system…

To achieve that, use docker volumes or bind mounts to map your source code on the workspace to source folder inside Node.js web app container. You can verify the changes reach the container by inspecting the source code inside the container after you make a change on docker host.

In order for node process inside the container to pick up the changes, it needs to reload. Use nodemon for that.

I wrote about it here as well.

When I did all of the above, I didn’t know automation for this exits. Use tilt!

You can find below articles useful:

If you found this article useful, take a look at the disclaimer for information on how to thank me.

Tags docker, node.js

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	Used by PHP to to provide functions across pages.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpres_test_cookie		Test if cookie can be set. WordPress also sets wordpress_test_cookie cookie to check if the cookies are enabled on the browser to provide appropriate user experience to the users. This cookie is used on the front-end, even if you are not logged in.
wp_lang	session	Used by WordPress to store language settings.

Cookie	Duration	Description
_ga	2 years	Used to distinguish users by Google Analytics
_ga_*	1 year	Used by Google Analytics to store and count page views.