Page MenuHomePhabricator
Paste P17457

(An Untitled Masterwork)
ActivePublic

Authored by taavi on Oct 12 2021, 9:43 AM.
Tags
None
Referenced Files
F34685943: raw-paste-data.txt
Oct 12 2021, 9:43 AM
Subscribers
None
# see all role binding objects in the "tool-majavah-test" namespace, which corresponds to the "majavah-test" tool
# note the "--as admin --as-group system:masters" syntax; maintain-kubeusers grants all maintainers of the "admin" tool
# a personal service account which can view most objects and can (like here) impersonate a cluster admin account
taavi@tools-sgebastion-10:~ $ kubectl --as admin --as-group system:masters get rolebinding --namespace tool-majavah-test
NAME ROLE AGE
default-majavah-test-psp-binding Role/tool-majavah-test-psp 200d
# the next one is the most interesting, the rest are related to per-tool pod security policies which limit what kinds of containers can be ran on the cluster:
majavah-test-tool-binding ClusterRole/tools-user 200d
tfb-majavah-test-psp-binding Role/tfb-majavah-test-psp 200d
tool-majavah-test-psp-binding Role/tool-majavah-test-psp 200d
# this is the role object (which is defined as a ClusterRole so it is shared between namespaces, but is bound to specific namespaces) which is what's actually granted to the tool accounts
taavi@tools-sgebastion-10:~ $ kubectl --as admin --as-group system:masters describe clusterrole tools-user
Name: tools-user
Labels: app=maintain-kubeusers
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
configmaps [] [] [get list watch create delete deletecollection patch update]
endpoints [] [] [get list watch create delete deletecollection patch update]
pods/attach [] [] [get list watch create delete deletecollection patch update]
pods/exec [] [] [get list watch create delete deletecollection patch update]
pods/portforward [] [] [get list watch create delete deletecollection patch update]
pods/proxy [] [] [get list watch create delete deletecollection patch update]
pods [] [] [get list watch create delete deletecollection patch update]
replicationcontrollers/scale [] [] [get list watch create delete deletecollection patch update]
replicationcontrollers [] [] [get list watch create delete deletecollection patch update]
secrets [] [] [get list watch create delete deletecollection patch update]
services/proxy [] [] [get list watch create delete deletecollection patch update]
services [] [] [get list watch create delete deletecollection patch update]
deployments.apps/rollback [] [] [get list watch create delete deletecollection patch update]
deployments.apps/scale [] [] [get list watch create delete deletecollection patch update]
deployments.apps [] [] [get list watch create delete deletecollection patch update]
replicasets.apps/scale [] [] [get list watch create delete deletecollection patch update]
replicasets.apps [] [] [get list watch create delete deletecollection patch update]
statefulsets.apps/scale [] [] [get list watch create delete deletecollection patch update]
statefulsets.apps [] [] [get list watch create delete deletecollection patch update]
cronjobs.batch [] [] [get list watch create delete deletecollection patch update]
jobs.batch [] [] [get list watch create delete deletecollection patch update]
deployments.extensions/rollback [] [] [get list watch create delete deletecollection patch update]
deployments.extensions/scale [] [] [get list watch create delete deletecollection patch update]
deployments.extensions [] [] [get list watch create delete deletecollection patch update]
ingresses.extensions [] [] [get list watch create delete deletecollection patch update]
networkpolicies.extensions [] [] [get list watch create delete deletecollection patch update]
replicasets.extensions/scale [] [] [get list watch create delete deletecollection patch update]
replicasets.extensions [] [] [get list watch create delete deletecollection patch update]
replicationcontrollers.extensions/scale [] [] [get list watch create delete deletecollection patch update]
ingresses.networking.k8s.io [] [] [get list watch create delete deletecollection patch update]
networkpolicies.networking.k8s.io [] [] [get list watch create delete deletecollection patch update]
bindings [] [] [get list watch]
events [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]