How to list supported RBAC verbs in Kubernetes?

README.md

It appears kubectl has first-class support via api-resources like:

$ kubectl api-resources -o wide
$ kubectl api-resources --api-group certificates.k8s.io -o wide
$ kubectl api-resources --namespaced -o wide

Alternatively, we can use curl to query Kubernetes API, but we have to expose the API endpoint first:

$ kubectl proxy --port 8080 &

Lookup API groups (known as named groups)

$ GROUP_NAME="certificates.k8s.io"
$ RESOURCE_NAME="certificatesigningrequests"
$ curl -s http://localhost:8080/apis | jq -r '.groups[] | .name'
$ curl -s http://localhost:8080/apis | jq -r --arg group_name "$GROUP_NAME" '.groups[] | select(.name | contains($group_name))'
$ api_uri=$(curl -s http://localhost:8080/apis | jq -r --arg group_name "$GROUP_NAME" '.groups[] | select(.name | contains($group_name)) | .preferredVersion.groupVersion')
$ curl -s http://localhost:8080/apis/$api_uri | jq -r '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")'
$ curl -s http://localhost:8080/apis/$api_uri | jq -r --arg resource_name "$RESOURCE_NAME" '.resources[] | select(.name | contains($resource_name)) | [.name, (.verbs | join(" "))] | join(" = ")'

Lookup core APIs (known as legacy)

$ RESOURCE_NAME="configmaps"
$ curl -s http://localhost:8080/api/v1 | jq -r '.resources[] | .name'
$ curl -s http://localhost:8080/api/v1 | jq -r '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")'
$ curl -s http://localhost:8080/api/v1 | jq -r --arg resource_name "$RESOURCE_NAME" '.resources[] | select(.name | contains($resource_name)) | [.name, (.verbs | join(" "))] | join(" = ")'

Reference

https://kubernetes.io/docs/reference/using-api/#api-groups

Special verbs (permissions)

• impersonate - allows impersonation in typical CLI commands by using --as and --as-group, https://kubernetes.io/docs/concepts/security/rbac-good-practices/#impersonate-verb
• bind - grants special or exceptional authority to permit roles binding, it covers only roles or clusterroles resources of the rbac.authorization.k8s.io API group (a list of roles can be controlled via resourceNames), ref. https://kubernetes.io/docs/concepts/security/rbac-good-practices/#bind-verb
• escalate - allows elevation of privileges beyond the existing permissions boundary, it covers only roles or clusterroles resources of the rbac.authorization.k8s.io API group, ref. https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb

Notes

Impersonating a user or group allows you to perform any action as if you were that user or group;
for that reason, impersonation is not namespace scoped. If you want to allow impersonation using
Kubernetes RBAC, this requires using a ClusterRole and a ClusterRoleBinding, not a Role and
RoleBinding.

Examples

For example, this ClusterRole and RoleBinding would allow user-1 to grant other users the admin, edit, and view roles in the namespace user-1-namespace:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: role-grantor
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["rolebindings"]
  verbs: ["create"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
  # omit resourceNames to allow binding any ClusterRole
  resourceNames: ["admin","edit","view"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-grantor-binding
  namespace: user-1-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: role-grantor
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-1

Impersonate all SAs:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonate
rules:
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["impersonate"]

$ kubectl --as=system:serviceaccount:kube-system:admin get pods --all-namespaces

Impersonate a user:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: sudo
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: sudo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: sudo
rules:
- apiGroups: [""]
  resourceNames: ["sudo"]
  resources: ["users"]
  verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sudoer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sudo
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user-2

References

• https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-creation-or-update
• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update
• https://infosecwriteups.com/the-bind-escalate-and-impersonate-verbs-in-the-kubernetes-cluster-e9635b4fbfc6
• https://kubernetes.io/docs/concepts/security/rbac-good-practices/#token-request
• https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation