Gennway:
try --as=system:serviceaccount:default:cka-testing if im correct
Basavraj Nilkanthe:
kubectl get pods --as=system:serviceaccount:default:cka-testing
NAME READY STATUS RESTARTS AGE
red-c898cbdc6-q7jhw 1/1 Running 0 56m
red-c898cbdc6-qbzb7 1/1 Running 0 56m
Basavraj Nilkanthe:
now, I can list pods
Basavraj Nilkanthe:
but I cant still list nodes
Gennway:
check this :
Basavraj Nilkanthe:
kubectl get nodes --as=system:serviceaccount:default:cka-testing
Error from server (Forbidden): nodes is forbidden: User "system:serviceaccount:default:cka-testing" cannot list resource "nodes" in API group "" at the cluster scope
Basavraj Nilkanthe:
Also, where I can find --as=system:serviceaccount:default:sa-name
Gennway:
my mistake
Gennway:
I thought u’re using kubectl auth
Gennway:
check this
Gennway:
kubectl auth can-i list nodes --as=system:serviceaccount:default:cka-testing
Gennway:
thats the way I always check if specific service account has right permissions
Gennway:
whenever I play with RBAC
Basavraj Nilkanthe:
okay
Gennway:
im not sure if u can list resources as specific SA, but u definietly can check it the specific SA has rigt permissions set
Basavraj Nilkanthe:
Also, I bit confused SA is namespace scoped resource and how it will bind to clusterrole to get permissions from other namespace… Do you know this work
Basavraj Nilkanthe:
I can understand users/groups they are not either namespace or clusterrole scoped resource
Gennway:
I think there is a good explanation