In Kubernetes you can use the auth can-i command to check if you have permissions to some resource.
For example, I can use this command like that on the worker:
kubectl --kubeconfig /etc/kubernetes/kubelet.conf auth can-i get pods -v 9
It will check if you have permissions to view pods, and when you add the -v flag it show the verbose output:
...
curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.18.0 (linux/amd64) kubernetes/9e99141" 'https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews'
I wanted to use this REST API with curl and it doesn't work:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H "Accept: application/json, */*" \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
"allowed":true
}
}
EOF
If failed with the error:
"status": "Failure",
"message": "SelfSubjectAccessReview in version \"v1\" cannot be handled as a SelfSubjectRulesReview: converting (v1.SelfSubjectAccessReview).v1.SelfSubjectAccessReviewSpec to (authorization.SelfSubjectRulesReview).authorization.SelfSubjectRulesReviewSpec: Namespace not present in src",
"reason": "BadRequest",
"code": 400
How can I use SelfSubjectRulesReview API with curl to view resource permissions?
Thanks to @HelloWorld I found the problem, the issue was with the different between selfsubjectaccessreviews vs selfsubjectrulesreviews. I will put 2 working curl examples.
1) selfsubjectaccessreviews example to see if the account has permissions for
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews <<'EOF'
{
"kind":"SelfSubjectAccessReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"resourceAttributes":{
"namespace":"default",
"verb":"get",
"resource":"pods"
}
},
"status":{
}
}
EOF
2) selfsubjectrulesreviews example to see all the permissions of the account on the default namespace:
curl --cacert /etc/kubernetes/pki/ca.crt \
--cert /var/lib/kubelet/pki/kubelet-client-current.pem \
--key /var/lib/kubelet/pki/kubelet-client-current.pem \
-d @- \
-H "Content-Type: application/json" \
-H 'Accept: application/json, */*' \
-XPOST https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews <<'EOF'
{
"kind":"SelfSubjectRulesReview",
"apiVersion":"authorization.k8s.io/v1",
"metadata":{
"creationTimestamp":null
},
"spec":{
"namespace":"default"
},
"status":{
}
}
EOF
Notice that kubectl verbose shows this url in output:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectaccessreviews
and you are curling:
https://<master_ip>:6443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews
Can you notice the difference? selfsubjectaccessreviews vs selfsubjectrulesreviews.
Change the url to correct one and it will work.