Search code examples
kubernetesrbacpodsecuritypolicy

How can I check if 'use' of podsecuritypolicy is authorized in the namespace using 'kubectl auth can-i ... psp'?

The following error is returned:

error: you must specify two or three arguments: verb, resource, and optional resourceName

when I executed:

kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp 00-mytest1

I already have following manifests for podsecuritypolicy (psp.yaml), role (role.yaml) and rolebinding (rb.yaml) and deployed in the namespace mytest1.

psp.yaml

    apiVersion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: 00-mytest1
      labels: {}
      annotations:
        seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'runtime/default'
        seccomp.security.alpha.kubernetes.io/defaultProfileName:  'runtime/default'
    spec:
      privileged: false
      allowPrivilegeEscalation: false
      requiredDropCapabilities:
      - ALL
      runAsUser:
        rule: 'MustRunAsNonRoot'
      runAsGroup:
        rule: 'MustRunAs'
        ranges:
        - min: 1000 
          max: 1000
        - min: 1
          max: 65535
      supplementalGroups:
        rule: 'MayRunAs'
        ranges:
        - min: 1
          max: 65535
      fsGroup:
        rule: 'MayRunAs'
        ranges:
        - min: 1
          max: 65535
      seLinux:
        rule: 'RunAsAny'
      hostNetwork: false
      hostIPC: false
      hostPID: false
      hostPorts: []
      volumes:
      - configMap
      - downwardAPI
      - emptyDir
      - projected
      - secret

role.yaml

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: mytest1
      namespace: "mytest1"
      labels: {}
    rules:
    - apiGroups: ['policy']
      resources: ['podsecuritypolicies']
      verbs:     ['use']
      resourceNames: ['00-mytest1']

and rb.yaml

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: mytest1
      namespace: "mytest1"
      labels: {}
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: mytest1
    subjects:
    - kind: ServiceAccount
      name: default
      namespace: "mytest1"

I expect the return yes or no for kubectl auth can-i ... check and not the above mentioned error. Is the use-case for auth check correct? I appreciate he correction.

Solution

  • You are missing the flag --subresource. If I execute

    kubectl auth --as=system:serviceaccount:mytest1:default can-i use psp --subresource=00-mytest1

    I have clear answer. In my situation:

    no

    You can also get an warning like this:

    Warning: resource 'podsecuritypolicies' is not namespace scoped in group 'policy'

    But it is related directly to your config.

    For more information about kubectl auth can-i command check

    kubectl auth can-i --help

    in your terminal. You can also read this doc.