Kubernetes: Get ServiceAccount Permissions/Roles

A Service Account in Kubernetes is a special type of non-human privileged account that provides an identity for processes that run in a Pod.

When you create a Pod, if you do not specify a Service Account, it is automatically assigned the default Service Account in the same Namespace.

This note shows how to list the Service Accounts in a Kubernetes cluster and how to get the Roles and permissions associated with a Service Account.

Cool Tip: Get Pod’s logs using the kubectl command! Read more →

Service Accounts are not User Accounts: User accounts are used by humans e.g. administrators or developers, to access a Kubernetes cluster to do some development work or maintenance. While Service Accounts are used by in-cluster Kubernetes entities, such as Pods, to authenticate to the Kubernetes API server or external services.

Run one of these commands to list the Service Accounts in a K8s cluster:

$ kubectl get serviceaccounts # In the current Namespace
$ kubectl get serviceaccounts --namespace=<nameSpaceName> # In the specific Namespace
$ kubectl get serviceaccounts --all-namespaces # In the all Namespaces

Like with any other Kubernetes resources you can get more details about your Service Account as follows:

$ kubectl describe sa <ServiceAccountName>

Get ServiceAccount Roles & Permissions

Kubernetes supports different authorization modes.

Let’s assume that your cluster uses Role-Based Access Control (RBAC) way of granting users access to Kubernetes API resources (this can be check by running the kubectl api-versions command).

In RBAC mode, Roles and ClusterRoles define the actions a user can perform within a namespace or cluster, respectively.

You can show the Roles and CluserRoles with the associated Service Accounts by running the following command:

$ kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide

To get a more pretty output you can execute the following one-liner (spitted over multiple lines for better readability):

$ kubectl get rolebinding,clusterrolebinding \
              --all-namespaces \
              -o jsonpath='{range .items[?(@.subjects[0].name=="<ServiceAccountName>")]}
                           [{.roleRef.kind},{.roleRef.name}]{end}'; echo
- sample output -
[Role,<roleName>][ClusterRole,<clusterRoleName>]

Alternatively you can generate a compact role mapping table and grep for the name of your Service Account as follows:

$ kubectl get rolebinding,clusterrolebinding \
              --all-namespaces \
              -o custom-columns='KIND:kind,
                                 NAMESPACE:metadata.namespace,
                                 NAME:metadata.name,
                                 SERVICE_ACCOUNTS:subjects[?(@.kind=="ServiceAccount")].name' |\
              { head -1; grep "<ServiceAccountName>"; }
- sample output -
KIND                 NAMESPACE  NAME               SERVICE_ACCOUNT
RoleBinding          default    <roleName>         <serviceAccountName>
ClusterRoleBuinding  <none>     <clusterRoleName>  <serviceAccountName>

Once you have found the Roles associated with your Service Account, you can display the permissions by running the following command:

$ kubectl describe role <RoleName>
- sample output -
Name:         <roleName>
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources  Non-Resource URLs  Resource Names  Verbs
  ---------  -----------------  --------------  -----
  pods/exec  []                 []              [create delete get list patch update watch]
  pods       []                 []              [create delete get list patch update watch]
  events     []                 []              [get list watch]
  pod/log    []                 []              [get list watch]

Cool Tip: How to increase a verbosity of the kubectl command! Read more →

Leave a Reply