On day #14 lets have a look how to discover what permissions are granted to our account.
In previous post OpenShift Morsels: login as a service account I described how to login as service account and explore the cluster resources through its eyes. Today I would like to share how you can check quickly what permissions in the project you have.
The simplest approach to do that is to execute the command below
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
$ oc policy can-i --list --ignore-scopes Verbs Non-Resource URLs Resource Names API Groups Resources [create get] [] [] [] [buildconfigs/webhooks] [create get] [] [] [build.openshift.io] [buildconfigs/webhooks] [create] [] [] [] [builds/docker] [create] [] [] [] [builds/jenkinspipeline] [create] [] [] [] [builds/optimizeddocker] [create] [] [] [] [builds/source] [create] [] [] [] [selfsubjectrulesreviews] [create] [] [] [authorization.k8s.io] [selfsubjectaccessreviews] [create] [] [] [authorization.openshift.io] [selfsubjectrulesreviews] [create] [] [] [build.openshift.io] [builds/docker] [create] [] [] [build.openshift.io] [builds/jenkinspipeline] [create] [] [] [build.openshift.io] [builds/optimizeddocker] [create] [] [] [build.openshift.io] [builds/source] [delete] [] [] [] [oauthaccesstokens] [delete] [] [] [] [oauthauthorizetokens] [delete] [] [] [oauth.openshift.io] [oauthaccesstokens] [delete] [] [] [oauth.openshift.io] [oauthauthorizetokens] [get list] [] [] [] [clusterroles] [get list] [] [] [authorization.openshift.io] [clusterroles] [get list] [] [] [storage.k8s.io] [storageclasses] [get] [] [~] [] [users] [get] [] [~] [user.openshift.io] [users] [get] [/.well-known] [] [] [] [get] [/.well-known] [] [] [] [get] [/.well-known] [] [] [] [get] [/.well-known/*] [] [] [] [get] [/.well-known/*] [] [] [] [get] [/.well-known/*] [] [] [] [get] [/api] [] [] [] [get] [/api] [] [] [] [get] [/api] [] [] [] [get] [/api/*] [] [] [] [get] [/api/*] [] [] [] [get] [/api/*] [] [] [] [get] [/apis] [] [] [] [get] [/apis] [] [] [] [get] [/apis] [] [] [] [get] [/apis/*] [] [] [] [get] [/apis/*] [] [] [] [get] [/apis/*] [] [] [] [get] [/healthz] [] [] [] [get] [/healthz/*] [] [] [] [get] [/oapi] [] [] [] [get] [/oapi] [] [] [] [get] [/oapi] [] [] [] [get] [/oapi/*] [] [] [] [get] [/oapi/*] [] [] [] [get] [/oapi/*] [] [] [] [get] [/osapi] [] [] [] [get] [/osapi] [] [] [] [get] [/osapi] [] [] [] [get] [/osapi/] [] [] [] [get] [/osapi/] [] [] [] [get] [/osapi/] [] [] [] [get] [/swagger.json] [] [] [] [get] [/swagger.json] [] [] [] [get] [/swagger.json] [] [] [] [get] [/swaggerapi] [] [] [] [get] [/swaggerapi] [] [] [] [get] [/swaggerapi] [] [] [] [get] [/swaggerapi/*] [] [] [] [get] [/swaggerapi/*] [] [] [] [get] [/swaggerapi/*] [] [] [] [get] [/version] [] [] [] [get] [/version] [] [] [] [get] [/version] [] [] [] [get] [/version/*] [] [] [] [get] [/version/*] [] [] [] [get] [/version/*] [] [] [] [list watch] [] [] [] [projects] [list watch] [] [] [project.openshift.io] [projects] [list] [] [] [] [projectrequests] [list] [] [] [project.openshift.io] [projectrequests] |
The OpenShift security model follows the one from Kubernetes (obviously). In the command you can ask if you are allowed to perform action (verb) on the resource.
Asking about specific action is now straightforward.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ oc policy can-i list projects yes $ oc policy can-i delete projects no $ oc policy can-i delete project no $ oc policy can-i create pod no $ oc policy can-i create dc no $ oc policy can-i create deploymentconfig no $ oc policy can-i list deploymentconfig no $ oc policy can-i list deploymentconfigs no |
The answers, however, surprised me. What do you mean I can’t list deployment configs? Then I realised that I am still logged in as deployer service account and my actions are very limited.
1 2 |
$ oc whoami system:serviceaccount:constellation:deployer |
In case of the deployer service account, we don’t have to much to do. This service account will not see any projects and you will not be able to switch to any of them, so you will have to explicitly specify the namespace when executing the command. In my case the project is called constellation.
After logging in as your personal user to minishift and executing the first command, you will see much longer list of permissions.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
$ oc policy can-i --list Verbs Non-Resource URLs Resource Names API Groups Resources [admin edit view] [] [] [build.openshift.io] [jenkins] [create delete deletecollection get impersonate list patch update watch] [] [] [] [serviceaccounts] [create delete deletecollection get list patch update watch] [] [] [] [buildconfigs] [create delete deletecollection get list patch update watch] [] [] [] [buildconfigs/webhooks] [create delete deletecollection get list patch update watch] [] [] [] [buildlogs] [create delete deletecollection get list patch update watch] [] [] [] [builds] [create delete deletecollection get list patch update watch] [] [] [] [configmaps] [create delete deletecollection get list patch update watch] [] [] [] [deploymentconfigs] [create delete deletecollection get list patch update watch] [] [] [] [deploymentconfigs/scale] [create delete deletecollection get list patch update watch] [] [] [] [endpoints] [create delete deletecollection get list patch update watch] [] [] [] [generatedeploymentconfigs] [create delete deletecollection get list patch update watch] [] [] [] [imagestreamimages] [create delete deletecollection get list patch update watch] [] [] [] [imagestreammappings] [create delete deletecollection get list patch update watch] [] [] [] [imagestreams] [create delete deletecollection get list patch update watch] [] [] [] [imagestreams/secrets] [create delete deletecollection get list patch update watch] [] [] [] [imagestreamtags] [create delete deletecollection get list patch update watch] [] [] [] [persistentvolumeclaims] [create delete deletecollection get list patch update watch] [] [] [] [pods] [create delete deletecollection get list patch update watch] [] [] [] [pods/attach] [create delete deletecollection get list patch update watch] [] [] [] [pods/exec] [create delete deletecollection get list patch update watch] [] [] [] [pods/portforward] [create delete deletecollection get list patch update watch] [] [] [] [pods/proxy] ... much longer list ... |
That is one of the ways to discover the permissions that are granted to your user. The good thing is that you get the final list of all permissions and then you can check if it does not grant too much. This is especially important if you use service account and want to make sure that only required permissions are granted.
Environment
The commands were executed using minishift and the following client/server versions of OpenShift.
Client:
Server:
Newsletter
Thanks for reading the OpenShift morsels. To get updates about new articles, you can sign up to the newsletter below.
As a thank you message, you will also get access to OpenShift CLI CheatSheet listing most commonly used commands together with a short explanation.