Kubernetes: Search the specific rule granting a given permission

2 min read

Sometimes might be difficult to tell how some subject (User, ServiceAccount, ...) is able to perform a certain task: What's the Role or ClusterRole granting some permission?

For this we can use the searchrule plugin.

25/07/2023

Managing Access Control in Kubernetes Using ResourceNames

2 min read

In Kubernetes, access control is managed using Role-Based Access Control (RBAC), which allows administrators to define roles with specific permissions to access Kubernetes resources. Most of the time we'll grant permissions for any resources of a specific kind and apiGroup as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: simple-rbac
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]

If we want to grant access to just some of the resources, we'll have to add a list of resourceNames. This field allows administrators to grant permissions to specific resources within a namespace, rather than all resources of a particular type.

11/04/2023

Kubernetes: Search for rule granting certain action

3 min read

To be able to audit access permissions of users un a Kubernetes cluster we might be interested in searching for Roles or ClusterRoles that grants access to a certain object:

27/02/2023

Synthetic ClusterRole or Role using an aggregationRule

2 min read

Having a Role or ClusterRole giving permissions to different apiGroups for different reasons makes it difficult to track and, later on, to maintain. By splitting the permissions on logical groups allows us to give predefined groups of permissions to the actual Role.

13/12/2022

Kubernetes - Check with RBAC: Can I...?

2 min read

When configuring RBAC permissions we might want to make sure we are configuring them correctly by checking what an user (or ServiceAccount) can do. We can use kubectl auth can-i for this.

29/11/2022