From bc761d512a0ea1c5646f84dfb4f880d48bf6ddef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Petazzoni?= Date: Sun, 28 Nov 2021 11:36:44 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9E=95=20Add=20commands=20to=20list=20verbs,?= =?UTF-8?q?=20resources,=20subresources?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- slides/k8s/authn-authz.md | 55 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/slides/k8s/authn-authz.md b/slides/k8s/authn-authz.md index 38bb9263..90afaa34 100644 --- a/slides/k8s/authn-authz.md +++ b/slides/k8s/authn-authz.md @@ -495,6 +495,49 @@ class: extra-details --- +class: extra-details + +## Listing all possible verbs + +- The Kubernetes API is self-documented + +- We can ask it which resources, subresources, and verb exist + +- One way to do this is to use: + + - `kubectl get --raw /api/v1` (for core resources with `apiVersion: v1`) + + - `kubectl get --raw /apis//` (for other resources) + +- The JSON response can be formatted with e.g. `jq` for readability + +--- + +class: extra-details + +## Examples + +- List all verbs across all `v1` resources + + ```bash + kubectl get --raw /api/v1 | jq -r .resources[].verbs[] | sort -u + ``` + +- List all resources and subresources in `apps/v1` + + ```bash + kubectl get --raw /apis/apps/v1 | jq -r .resources[].name + ``` + +- List which verbs are available on which resources in `networking.k8s.io` + + ```bash + kubectl get --raw /apis/networking.k8s.io/v1 | \ + jq -r '.resources[] | .name + ": " + (.verbs | join(", "))' + ``` + +--- + ## From rules to roles to rolebindings - A *role* is an API object containing a list of *rules* @@ -928,6 +971,18 @@ class: extra-details kubectl describe clusterrole cluster-admin ``` +--- + +## `list` vs. `get` + +⚠️ `list` grants read permissions to resources! + +- It's not possible to give permission to list resources without also reading them + +- This has implications for e.g. Secrets + + (if a controller needs to be able to enumerate Secrets, it will be able to read them) + ??? :EN:- Authentication and authorization in Kubernetes