forked from cloud-ark/kubeplus
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathkubectl-show-consumer-permissions
More file actions
executable file
·38 lines (32 loc) · 1.45 KB
/
kubectl-show-consumer-permissions
File metadata and controls
executable file
·38 lines (32 loc) · 1.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/bin/bash
source utils.sh
print_help () {
echo "NAME"
echo " kubectl show consumer permissions"
echo ""
echo "SYNOPSIS"
echo " kubectl show consumer permissions <Namespace> <ConsumerName>"
echo ""
echo "DESCRIPTION"
echo " kubectl show consumer permissions shows the RBAC permissions for a consumer service account."
echo " Namespace is the namespace where the consumer service account lives."
echo " ConsumerName is the name of the consumer service account."
echo ""
echo " Two use cases for consumer service accounts:"
echo " 1) Instance-creation consumer: SA with permissions to create application instances (not restricted to a namespace)."
echo " Typically lives in the KubePlus namespace (e.g. kubeplus-saas-consumer in default)."
echo " 2) Instance-scoped consumer: SA with permissions restricted to a specific instance's namespace (e.g. for debugging)."
echo " Lives in the instance namespace (e.g. team1mysql when team1 created an instance named team1mysql)."
echo ""
echo "EXAMPLES"
echo " kubectl show consumer permissions default kubeplus-saas-consumer"
echo " kubectl show consumer permissions team1mysql team1-debug"
exit 0
}
if (( $# != 2)); then
print_help
fi
namespace="$1"
consumer="$2"
check_namespace $namespace
kubectl auth can-i --list --as=system:serviceaccount:$namespace:$consumer