I'm using k8s go-client to do a bunch of stuff, but users of the application are seeing errors that seem to be caused by bad configuration of the service account their instance is running with, such as trying to access resources they're not allowed to, I want to show a warning when launching the application, or at least be able to access the permitted resources/groups of the Role bound to the service account of the pod where the code is running. Is there a way to do this?
How do I get the kubernetes Role or service account where the process is running
884 Views Asked by Daniel Arechiga At
2
There are 2 best solutions below
2
On
users of the application are seeing errors that seem to be caused by bad configuration of the service account
Sounds like the installation of that service did not come with proper RBAC-manifests.
I want to show a warning when launching the application, or at least be able to access the permitted resources/groups of the Role bound to the service account of the pod
The way to solve this is typically to carefully take care of the errors returned when accessing the Kubernetes API Service, and in case of an error, also print the error. Those error messages typically contains information about what ServiceAccount was used and what permissions was missing. With that info, it shouldn't be too hard to create proper RBAC-manifests.
SelfSubjectAccessReview
You can also Check API Access for a specific API with the API endpoint /apis/authorization.k8s.io/v1/selfsubjectaccessreviews
You can access the the resources available to the pod through its service account by using InClusterConfig. Take a look at the below link to understand how to use it.
How to use inclusterconfig of kubernetes in go