Last active
September 12, 2022 15:21
-
-
Save akoserwal/0227d6b9690afb2e51f50e7ec6bc6f2a to your computer and use it in GitHub Desktop.
sar-test-1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl create -f - -o yaml << EOF apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: kafka-cluster-admin-role | |
| rules: | |
| - apiGroups: ["kafka.io"] | |
| resources: ["topics/test/abc"] | |
| verbs: ["create", "delete"] | |
| EOF | |
| bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6 | |
| I0912 19:55:49.456858 93219 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig | |
| I0912 19:55:49.486541 93219 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 29 milliseconds | |
| I0912 19:55:49.495102 93219 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds | |
| role.rbac.authorization.k8s.io/kafka-cluster-admin-role created | |
| kubectl create -f - -o yaml << apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: kafka-client-1 | |
| EOF | |
| ➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/sa-kakfa-client-1.yaml -v 6 | |
| I0912 19:56:06.460694 93417 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig | |
| I0912 19:56:06.487138 93417 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds | |
| I0912 19:56:06.494533 93417 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 2 milliseconds | |
| serviceaccount/kafka-client-1 created | |
| ➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6 | |
| ➜ bin git:(main) ✗ kubectl create -f - -o yaml << EOF | |
| apiVersion: authorization.k8s.io/v1 | |
| kind: SubjectAccessReview | |
| spec: | |
| resourceAttributes: | |
| group: kafka.io | |
| resource: topics/test/abc | |
| verb: create | |
| namespace: default | |
| user: "system:serviceaccount:default:kafka-client-1" | |
| EOF | |
| output: | |
| apiVersion: authorization.k8s.io/v1 | |
| kind: SubjectAccessReview | |
| metadata: | |
| creationTimestamp: null | |
| spec: | |
| resourceAttributes: | |
| group: kafka.io | |
| namespace: default | |
| resource: topics/test/abc | |
| verb: create | |
| user: system:serviceaccount:default:kafka-client-1 | |
| status: | |
| allowed: false | |
| reason: workspace access not permitted | |
| kubectl create -f - -o yaml << apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: kafka-cluster-admin-role-binding- | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: kafka-cluster-admin-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: kafka-client-1 | |
| namespace: default | |
| EOF | |
| ➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_rolebinding.yaml -v 6 | |
| I0912 19:57:04.553579 93863 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig | |
| I0912 19:57:04.580122 93863 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds | |
| I0912 19:57:04.588397 93863 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds | |
| rolebinding.rbac.authorization.k8s.io/kafka-cluster-admin-role-binding- created | |
| ➜ bin git:(main) ✗ kubectl -v 6 create -f - -o yaml << EOF | |
| apiVersion: authorization.k8s.io/v1 | |
| kind: SubjectAccessReview | |
| spec: | |
| resourceAttributes: | |
| group: kafka.io | |
| resource: topics/test/abc | |
| verb: create | |
| namespace: default | |
| user: "system:serviceaccount:default:kafka-client-1" | |
| EOF | |
| I0912 19:57:14.416976 93942 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig | |
| I0912 19:57:14.443216 93942 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 25 milliseconds | |
| I0912 19:57:14.448164 93942 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/authorization.k8s.io/v1/subjectaccessreviews?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 1 milliseconds | |
| apiVersion: authorization.k8s.io/v1 | |
| kind: SubjectAccessReview | |
| metadata: | |
| creationTimestamp: null | |
| spec: | |
| resourceAttributes: | |
| group: kafka.io | |
| namespace: default | |
| resource: topics/test/abc | |
| verb: create | |
| user: system:serviceaccount:default:kafka-client-1 | |
| status: | |
| allowed: false | |
| reason: workspace access not permitted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment