1

How can I figure out what role is missing in a service account?

Like I have the following:

kubectl auth can-i create taskrun --all-namespaces --as=system:serviceaccount:default:default

no

Ok, but where to go from here :-)

Chris G.
  • 157
  • 5
  • 2
    The verb and resources are [mostly straightforward](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources), but I don't believe there is any built-in "create an RBAC Role for me" tooling in kubernetes; what have you already tried and what is giving you trouble? – mdaniel Oct 14 '21 at 15:57
  • It is just that I need to figure out, what kind of role I need to bind to a service account. – Chris G. Oct 14 '21 at 16:16
  • 1
    Right, but my point is that no (built in) process will magically know what the `ServiceAccount` is _trying_ to interact with. Does it need `Secret` access? _Write_ access to `Secret`s? _Delete_? if you don't care and just want it to work, then bind `cluster-admin` to that `ServiceAccount` and it'll for sure work. If you do care, then enumerating the verbs and resources required is the only way – mdaniel Oct 14 '21 at 20:20
  • Cool, thanks for info. I will look at the resource and add verbs accordingly to what I want to do to a rols and bind it to the sa to be used. – Chris G. Oct 14 '21 at 20:24

1 Answers1

1

Posting the answer as community wiki, feel free to edit and expand.

As @mdaniel has already mentioned, there are no built-in tools in kubernetes which will figure out required access for a service account for you and then create a Role and RoleBinding.

As a temporary solution it can be used a clusterrole - cluster-admin, however best practice is to provide only minimun possible and required access rights.

Below are links to documentation which will be helpful:

API request verb - API verbs like get, list, create, update, patch, watch, delete, and deletecollection are used for resource requests

moonkotte
  • 290
  • 1
  • 8