kubectl-who-can 安裝 in openSUSE Leap 15.3 小記

kubectl-who-can 安裝 in openSUSE Leap 15.3 小記

OS: openSUSE Leap 15.3

Kubernetes: Kubernetes 1.21.0 ( AKS in Azure )

最近又重回 Study Kubernetes 的懷抱, 

之前用 zypper 搜尋看到一個小工具 kubectl-who-can

# zypper  search  kubectl

Loading repository data...

Reading installed packages...

S | Name            | Summary                                                              | Type

--+-----------------+----------------------------------------------------------------------+--------

  | kubectl-who-can | Tool to show who has permissions to verbs and resources in Kuberne-> | package

今天來實驗一下, 假設你已經有 Kubernetes 的環境

kubectl-who-can

• Github https://github.com/aquasecurity/kubectl-who-can

• 影片 https://asciinema.org/a/ccqqYwA5L5rMV9kd1tgzyZJ2j 

安裝方式, 使用 zypper 安裝即可

# zypper  install  kubectl-who-can

Loading repository data...

Reading installed packages...

Resolving package dependencies...

The following NEW package is going to be installed:

  kubectl-who-can

1 new package to install.

Overall download size: 6.3 MiB. Already cached: 0 B. After the operation, additional 33.2 MiB will

be used.

Continue? [y/n/v/...? shows all options] (y): y

進行相關測試

> kubectl-who-can  create  pods

No subjects found with permissions to create pods assigned through RoleBindings

CLUSTERROLEBINDING                          SUBJECT                   TYPE            SA-NAMESPACE

aks-cluster-admin-binding                   clusterAdmin              User            

aks-cluster-admin-binding                   clusterUser               User            

aks-service-rolebinding                     aks-support               User            

cluster-admin                               system:masters            Group           

system:aks-client-nodes                     system:nodes              Group           

system:controller:daemon-set-controller     daemon-set-controller     ServiceAccount  kube-system

system:controller:job-controller            job-controller            ServiceAccount  kube-system

system:controller:persistent-volume-binder  persistent-volume-binder  ServiceAccount  kube-system

system:controller:replicaset-controller     replicaset-controller     ServiceAccount  kube-system

system:controller:replication-controller    replication-controller    ServiceAccount  kube-system

system:controller:statefulset-controller    statefulset-controller    ServiceAccount  kube-system

然後從網路上找到一篇文章也有參考性

• https://sonobuoy.io/who-can-plugin/

> kubectl-who-can  delete  pods

> kubectl-who-can  get  secrets

> kubectl-who-can  bindings  all

No subjects found with permissions to bindings all assigned through RoleBindings

CLUSTERROLEBINDING         SUBJECT         TYPE   SA-NAMESPACE

aks-cluster-admin-binding  clusterAdmin    User   

aks-cluster-admin-binding  clusterUser     User   

cluster-admin              system:masters  Group

先紀錄一下, 之後如果要來查 RABC 應該很方便

~ enjoy it

Reference:

• https://github.com/aquasecurity/kubectl-who-can

• https://sonobuoy.io/who-can-plugin/