# see all role binding objects in the "tool-majavah-test" namespace, which corresponds to the "majavah-test" tool # note the "--as admin --as-group system:masters" syntax; maintain-kubeusers grants all maintainers of the "admin" tool # a personal service account which can view most objects and can (like here) impersonate a cluster admin account taavi@tools-sgebastion-10:~ $ kubectl --as admin --as-group system:masters get rolebinding --namespace tool-majavah-test NAME ROLE AGE default-majavah-test-psp-binding Role/tool-majavah-test-psp 200d # the next one is the most interesting, the rest are related to per-tool pod security policies which limit what kinds of containers can be ran on the cluster: majavah-test-tool-binding ClusterRole/tools-user 200d tfb-majavah-test-psp-binding Role/tfb-majavah-test-psp 200d tool-majavah-test-psp-binding Role/tool-majavah-test-psp 200d # this is the role object (which is defined as a ClusterRole so it is shared between namespaces, but is bound to specific namespaces) which is what's actually granted to the tool accounts taavi@tools-sgebastion-10:~ $ kubectl --as admin --as-group system:masters describe clusterrole tools-user Name: tools-user Labels: app=maintain-kubeusers Annotations: PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- configmaps [] [] [get list watch create delete deletecollection patch update] endpoints [] [] [get list watch create delete deletecollection patch update] pods/attach [] [] [get list watch create delete deletecollection patch update] pods/exec [] [] [get list watch create delete deletecollection patch update] pods/portforward [] [] [get list watch create delete deletecollection patch update] pods/proxy [] [] [get list watch create delete deletecollection patch update] pods [] [] [get list watch create delete deletecollection patch update] replicationcontrollers/scale [] [] [get list watch create delete deletecollection patch update] replicationcontrollers [] [] [get list watch create delete deletecollection patch update] secrets [] [] [get list watch create delete deletecollection patch update] services/proxy [] [] [get list watch create delete deletecollection patch update] services [] [] [get list watch create delete deletecollection patch update] deployments.apps/rollback [] [] [get list watch create delete deletecollection patch update] deployments.apps/scale [] [] [get list watch create delete deletecollection patch update] deployments.apps [] [] [get list watch create delete deletecollection patch update] replicasets.apps/scale [] [] [get list watch create delete deletecollection patch update] replicasets.apps [] [] [get list watch create delete deletecollection patch update] statefulsets.apps/scale [] [] [get list watch create delete deletecollection patch update] statefulsets.apps [] [] [get list watch create delete deletecollection patch update] cronjobs.batch [] [] [get list watch create delete deletecollection patch update] jobs.batch [] [] [get list watch create delete deletecollection patch update] deployments.extensions/rollback [] [] [get list watch create delete deletecollection patch update] deployments.extensions/scale [] [] [get list watch create delete deletecollection patch update] deployments.extensions [] [] [get list watch create delete deletecollection patch update] ingresses.extensions [] [] [get list watch create delete deletecollection patch update] networkpolicies.extensions [] [] [get list watch create delete deletecollection patch update] replicasets.extensions/scale [] [] [get list watch create delete deletecollection patch update] replicasets.extensions [] [] [get list watch create delete deletecollection patch update] replicationcontrollers.extensions/scale [] [] [get list watch create delete deletecollection patch update] ingresses.networking.k8s.io [] [] [get list watch create delete deletecollection patch update] networkpolicies.networking.k8s.io [] [] [get list watch create delete deletecollection patch update] bindings [] [] [get list watch] events [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] persistentvolumeclaims [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] daemonsets.apps [] [] [get list watch] horizontalpodautoscalers.autoscaling [] [] [get list watch] daemonsets.extensions [] [] [get list watch] pods.metrics.k8s.io [] [] [get list watch] poddisruptionbudgets.policy [] [] [get list watch]