For the lab Practice Test Cluster Roles Q7,
A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
I would like to list out all users first by running:
kubectl config get-users
However, michelle is not shown. The output is like this:
controlplane ~ ➜ kubectl config get-users
NAME
default
Why is that and how to list all users in k8s correctly? Thanks!
Kubernetes doesn’t really have a concept of a user. It knows if it sees an authenticated user through a number of mechanisms, but it does not have a list of users anywhere. All you have in a kubeconfig file are whatever users that the owner of that file has access to, and they might be for several different clusters. The docs put it this way:
It is assumed that a cluster-independent service manages normal users in the following ways:
- an administrator distributing private keys
- a user store like Keystone or Google Accounts
- a file with a list of usernames and passwords
In this regard, Kubernetes does not have objects which represent normal user accounts. Normal users cannot be added to a cluster through an API call.
Hi Rob, thanks for your reply. One thing that is not so clear for me.
You mentioned that " Kubernetes doesn’t really have a concept of a user".
If k8s does not have a concept of a user, how could it bind Role or ClusterRole to user using RoleBinding or ClusterRoleBinding?
The users have to be from somewhere, right?
They’re from “outside the system”. The might be a collection of certificates that an admin created. Or derived from an external user database. Kubernetes is modular, so some kind of external system will be set up to tell Kubernetes that some is or is not a user. But there is no “user object” in the system. There are only plugins that present users to Kubernetes. So you can’t construct a query that will tell you how many users can use the system. Kubernetes doesn’t know. Nor really care.