Tag: kubectl

Get user’s permissions using kubectl

Post author By rok
Post date March 31, 2023

Kubernetes supports RBAC authorization out of the box. In short, every Kubernetes user or a service account have permissions to perform certain actions (HTTP verbs) on certain API server resources e.g. pods. To get user’s permissions using kubectl run kubectl auth can-i --list:

Resources                                       Non-Resource URLs                     Resource Names              Verbs
selfsubjectaccessreviews.authorization.k8s.io   []                                    []                          [create]
selfsubjectrulesreviews.authorization.k8s.io    []                                    []                          [create]
persistentvolumeclaims                          []                                    []                          [get list watch create delete deletecollection patch update]
pods/exec                                       []                                    []                          [get list watch create delete deletecollection patch update]
pods                                            []                                    []                          [get list watch create delete deletecollection patch update]
events                                          []                                    []                          [get list watch]
pods/log                                        []                                    []                          [get list watch]
configmaps                                      []                                    []                          [get watch list]
                                                [/.well-known/openid-configuration]   []                          [get]
                                                [/api/*]                              []                          [get]
                                                [/api]                                []                          [get]
                                                [/apis/*]                             []                          [get]
                                                [/apis]                               []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/healthz]                            []                          [get]
                                                [/livez]                              []                          [get]
                                                [/livez]                              []                          [get]
                                                [/openapi/*]                          []                          [get]
                                                [/openapi]                            []                          [get]
                                                [/openid/v1/jwks]                     []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/readyz]                             []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version/]                           []                          [get]
                                                [/version]                            []                          [get]
                                                [/version]                            []                          [get]
podsecuritypolicies.policy                      []                                    [global-unrestricted-psp]   [use]

To view another user’s permissions add --as=[user-name] flag. For instance: kubectl auth can-i --list --as=jenkins.

To see a real world example, you can follow my tutorial on installing Jenkins helm chart and then see the permissions of Jenkins service account. Such permissions include creating pods on demand for Jenkins jobs. Have a look at this chart’s template to get a taste of how RBAC is configured.

If you are after more granular information on roles or cluster roles per service account, have a look at this great answer on stack overflow. It suggests using rbac-tool.

Also note that Kubernetes distinguishes between user and service accounts.

Summary

That’s it about getting user’s permissions using kubectl.

If you found this article useful, take a look at the disclaimer for information on how to thank me.

You can find below articles useful:

Tags kubectl, kubernetes

Automation CI/CD DevOps

How to Create Kubernetes cluster on Linode using CLI

Post author By rok
Post date January 14, 2023

Today, I’ll show how to create Kubernetes cluster on Linode using CLI. It might be useful, for instance, for CI/CD, automation processes, etc…

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags kubectl, kubernetes, linode

Best Practices DevOps Orchestration

Dynamic Provisioning of Kubernetes Storage

Post author By rok
Post date October 17, 2022

If you are a professional Kubernetes storage administrator you probably performed dynamic provisioning of Kubernetes storage and avoided creating the volumes manually. We’ll see the motivation for dynamic storage provisioning and how using storage classes serves this purpose.

If you later find this article useful take a look at the disclaimer for information on how to thank me.

Tags helm, jenkins, kubectl, kubernetes, minikube

Best Practices DevOps

Kubernetes Labels Demo

Post author By rok
Post date January 30, 2022

You’ve most likely stumbled on Kubernetes labels while writing deployment manifests. What are they for and how to use them? As always we’ll see a practical demo to answer these questions. Keep reading to find out more.

Tags kubectl, kubernetes, minikube

DevOps Orchestration

Kubernetes Namespaces Explained

Post author By rok
Post date January 16, 2022

You have probably heard of Kubernetes namespaces. But what are they for? What purpose do they serve? How to use them correctly? Keep reading to find out.

Tags kubectl, kubernetes, minikube

Best Practices DevOps Orchestration

Kubernetes ConfigMaps Demo

Post author By rok
Post date January 6, 2022

Kubernetes ConfigMaps provide Kubernetes Pods with configuration information. How to create and use ConfigMaps? What are Kubernetes ConfigMaps concepts? Keep reading to find out.

Tags jenkins, kubectl, kubernetes, minikube

Automation CI/CD DevOps Orchestration

Kubernetes Volumes Introduction

Post author By rok
Post date December 24, 2021

volumes

What are Kubernetes volumes, their types and concepts behind them? We’ll cover all of that below. In addition, we’ll see practical demo of using Kubernetes volumes.

Tags docker, jenkins, kubectl, kubernetes, minikube

DevOps Orchestration

Kubernetes Services Demo

Post author By rok
Post date December 11, 2021

Kubernetes Services demo

Kubernetes services expose apps running as a set of Kubernetes pods using a single DNS name. In addition, Kubernetes services provide load balancing between the pods. Of course, I’ll demo how to manage services using kubectl. Keep reading to find out more.

Tags kubectl, kubernetes, minikube

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	Used by PHP to to provide functions across pages.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpres_test_cookie		Test if cookie can be set. WordPress also sets wordpress_test_cookie cookie to check if the cookies are enabled on the browser to provide appropriate user experience to the users. This cookie is used on the front-end, even if you are not logged in.
wp_lang	session	Used by WordPress to store language settings.

Cookie	Duration	Description
_ga	2 years	Used to distinguish users by Google Analytics
_ga_*	1 year	Used by Google Analytics to store and count page views.