K8s what can I do with kubectl
Script v1
k8s-check.sh
#!/bin/bash
RED="\033[0;31m"
GREEN="\033[0;32m"
NC="\033[0m"
COLOR=$NC
resource_names=($(kubectl api-resources -o name))
for resource in "${resource_names[@]}"
do
actions=($(kubectl api-resources -o wide | grep "pods " | grep -oP "\[[a-z ]*\]" | grep -oP "[a-z ]*"))
for action in "${actions[@]}"
do
can_i_1=$(kubectl auth can-i $action $resource --all-namespaces 2>/dev/null)
can_i_2=$(kubectl auth can-i $action $resource 2>/dev/null)
if [ "$can_i_1" = "yes" ] || [ "$can_i_2" = "yes" ]; then
COLOR=$GREEN
else
COLOR=$RED
fi
printf "Resource \"$resource\" Action \"$action\" CanI: ${COLOR}$can_i${NC}\n"
done
done
echo "IyEvYmluL2Jhc2gKClJFRD0iXDAzM1swOzMxbSIKR1JFRU49IlwwMzNbMDszMm0iCk5DPSJcMDMzWzBtIgpDT0xPUj0kTkMKCnJlc291cmNlX25hbWVzPSgkKGt1YmVjdGwgYXBpLXJlc291cmNlcyAtbyBuYW1lKSkKCmZvciByZXNvdXJjZSBpbiAiJHtyZXNvdXJjZV9uYW1lc1tAXX0iCmRvCiAgYWN0aW9ucz0oJChrdWJlY3RsIGFwaS1yZXNvdXJjZXMgLW8gd2lkZSB8IGdyZXAgInBvZHMgIiB8IGdyZXAgLW9QICJcW1thLXogXSpcXSIgfCBncmVwIC1vUCAiW2EteiBdKiIpKQogIGZvciBhY3Rpb24gaW4gIiR7YWN0aW9uc1tAXX0iCiAgZG8KICAgIGNhbl9pXzE9JChrdWJlY3RsIGF1dGggY2FuLWkgJGFjdGlvbiAkcmVzb3VyY2UgLS1hbGwtbmFtZXNwYWNlcyAyPi9kZXYvbnVsbCkKICAgIGNhbl9pXzI9JChrdWJlY3RsIGF1dGggY2FuLWkgJGFjdGlvbiAkcmVzb3VyY2UgMj4vZGV2L251bGwpCiAgICBpZiBbICIkY2FuX2lfMSIgPSAieWVzIiBdIHx8IFsgIiRjYW5faV8yIiA9ICJ5ZXMiIF07IHRoZW4KICAgICAgICBDT0xPUj0kR1JFRU4KICAgIGVsc2UKICAgICAgICBDT0xPUj0kUkVECiAgICBmaQogICAgcHJpbnRmICJSZXNvdXJjZSBcIiRyZXNvdXJjZVwiIEFjdGlvbiBcIiRhY3Rpb25cIiBDYW5JOiAke0NPTE9SfSRjYW5faSR7TkN9XG4iCiAgZG9uZQpkb25l" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh
Script v2
k8s-check.sh
#!/bin/bash
resource_names=($(kubectl api-resources -o name))
for resource in "${resource_names[@]}"
do
actions=($(kubectl api-resources -o wide | grep "pods " | grep -oP "\[[a-z ]*\]" | grep -oP "[a-z ]*"))
action_allowed=()
for action in "${actions[@]}"
do
can_i_1=$(kubectl auth can-i $action $resource --all-namespaces 2>/dev/null)
can_i_2=$(kubectl auth can-i $action $resource 2>/dev/null)
if [ "$can_i_1" = "yes" ] || [ "$can_i_2" = "yes" ]; then
action_allowed+=($action)
fi
done
if [ ${#action_allowed[@]} -ne 0 ]; then
IFS='|';echo "Resource \"$resource\" Actions: ${action_allowed[*]// /|}";IFS=$' \t\n'
fi
done
echo "IyEvYmluL2Jhc2gKCnJlc291cmNlX25hbWVzPSgkKGt1YmVjdGwgYXBpLXJlc291cmNlcyAtbyBuYW1lKSkKCmZvciByZXNvdXJjZSBpbiAiJHtyZXNvdXJjZV9uYW1lc1tAXX0iCmRvCiAgYWN0aW9ucz0oJChrdWJlY3RsIGFwaS1yZXNvdXJjZXMgLW8gd2lkZSB8IGdyZXAgInBvZHMgIiB8IGdyZXAgLW9QICJcW1thLXogXSpcXSIgfCBncmVwIC1vUCAiW2EteiBdKiIpKQogIGFjdGlvbl9hbGxvd2VkPSgpCiAgZm9yIGFjdGlvbiBpbiAiJHthY3Rpb25zW0BdfSIKICBkbwogICAgY2FuX2lfMT0kKGt1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAtLWFsbC1uYW1lc3BhY2VzIDI+L2Rldi9udWxsKQogICAgY2FuX2lfMj0kKGt1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAyPi9kZXYvbnVsbCkKICAgIGlmIFsgIiRjYW5faV8xIiA9ICJ5ZXMiIF0gfHwgWyAiJGNhbl9pXzIiID0gInllcyIgXTsgdGhlbgogICAgICBhY3Rpb25fYWxsb3dlZCs9KCRhY3Rpb24pCiAgICBmaQogIGRvbmUKICBpZiBbICR7I2FjdGlvbl9hbGxvd2VkW0BdfSAtbmUgMCBdOyB0aGVuCiAgICBJRlM9J3wnO2VjaG8gIlJlc291cmNlIFwiJHJlc291cmNlXCIgQWN0aW9uczogJHthY3Rpb25fYWxsb3dlZFsqXS8vIC98fSI7SUZTPSQnIFx0XG4nCiAgZmkKZG9uZQ==" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh
echo "IyEvYmluL2Jhc2gKCnJlc291cmNlX25hbWVzPSgkKC4va3ViZWN0bCBhcGktcmVzb3VyY2VzIC1vIG5hbWUpKQoKZm9yIHJlc291cmNlIGluICIke3Jlc291cmNlX25hbWVzW0BdfSIKZG8KICBhY3Rpb25zPSgkKC4va3ViZWN0bCBhcGktcmVzb3VyY2VzIC1vIHdpZGUgfCBncmVwICJwb2RzICIgfCBncmVwIC1vUCAiXFtbYS16IF0qXF0iIHwgZ3JlcCAtb1AgIlthLXogXSoiKSkKICBhY3Rpb25fYWxsb3dlZD0oKQogIGZvciBhY3Rpb24gaW4gIiR7YWN0aW9uc1tAXX0iCiAgZG8KICAgIGNhbl9pXzE9JCguL2t1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAtLWFsbC1uYW1lc3BhY2VzIDI+L2Rldi9udWxsKQogICAgY2FuX2lfMj0kKC4va3ViZWN0bCBhdXRoIGNhbi1pICRhY3Rpb24gJHJlc291cmNlIDI+L2Rldi9udWxsKQogICAgaWYgWyAiJGNhbl9pXzEiID0gInllcyIgXSB8fCBbICIkY2FuX2lfMiIgPSAieWVzIiBdOyB0aGVuCiAgICAgIGFjdGlvbl9hbGxvd2VkKz0oJGFjdGlvbikKICAgIGZpCiAgZG9uZQogIGlmIFsgJHsjYWN0aW9uX2FsbG93ZWRbQF19IC1uZSAwIF07IHRoZW4KICAgIElGUz0nfCc7ZWNobyAiUmVzb3VyY2UgXCIkcmVzb3VyY2VcIiBBY3Rpb25zOiAke2FjdGlvbl9hbGxvd2VkWypdLy8gL3x9IjtJRlM9JCcgXHRcbicKICBmaQpkb25lCg==" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh
chmod +x
Run
Output for v1
Resource 'pods' Action 'create' CanI: yes
Resource 'pods' Action 'delete' CanI: yes
Resource 'pods' Action 'deletecollection' CanI: yes
Resource 'pods' Action 'get' CanI: yes
Resource 'pods' Action 'list' CanI: yes
Resource 'pods' Action 'patch' CanI: yes
Resource 'pods' Action 'update' CanI: yes
Resource 'pods' Action 'watch' CanI: yes