Skip to content

K8s what can I do with kubectl

Script v1

k8s-check.sh 

#!/bin/bash

RED="\033[0;31m"
GREEN="\033[0;32m"
NC="\033[0m"
COLOR=$NC

resource_names=($(kubectl api-resources -o name))

for resource in "${resource_names[@]}"
do
  actions=($(kubectl api-resources -o wide | grep "pods " | grep -oP "\[[a-z ]*\]" | grep -oP "[a-z ]*"))
  for action in "${actions[@]}"
  do
    can_i_1=$(kubectl auth can-i $action $resource --all-namespaces 2>/dev/null)
    can_i_2=$(kubectl auth can-i $action $resource 2>/dev/null)
    if [ "$can_i_1" = "yes" ] || [ "$can_i_2" = "yes" ]; then
        COLOR=$GREEN
    else
        COLOR=$RED
    fi
    printf "Resource \"$resource\" Action \"$action\" CanI: ${COLOR}$can_i${NC}\n"
  done
done

echo "IyEvYmluL2Jhc2gKClJFRD0iXDAzM1swOzMxbSIKR1JFRU49IlwwMzNbMDszMm0iCk5DPSJcMDMzWzBtIgpDT0xPUj0kTkMKCnJlc291cmNlX25hbWVzPSgkKGt1YmVjdGwgYXBpLXJlc291cmNlcyAtbyBuYW1lKSkKCmZvciByZXNvdXJjZSBpbiAiJHtyZXNvdXJjZV9uYW1lc1tAXX0iCmRvCiAgYWN0aW9ucz0oJChrdWJlY3RsIGFwaS1yZXNvdXJjZXMgLW8gd2lkZSB8IGdyZXAgInBvZHMgIiB8IGdyZXAgLW9QICJcW1thLXogXSpcXSIgfCBncmVwIC1vUCAiW2EteiBdKiIpKQogIGZvciBhY3Rpb24gaW4gIiR7YWN0aW9uc1tAXX0iCiAgZG8KICAgIGNhbl9pXzE9JChrdWJlY3RsIGF1dGggY2FuLWkgJGFjdGlvbiAkcmVzb3VyY2UgLS1hbGwtbmFtZXNwYWNlcyAyPi9kZXYvbnVsbCkKICAgIGNhbl9pXzI9JChrdWJlY3RsIGF1dGggY2FuLWkgJGFjdGlvbiAkcmVzb3VyY2UgMj4vZGV2L251bGwpCiAgICBpZiBbICIkY2FuX2lfMSIgPSAieWVzIiBdIHx8IFsgIiRjYW5faV8yIiA9ICJ5ZXMiIF07IHRoZW4KICAgICAgICBDT0xPUj0kR1JFRU4KICAgIGVsc2UKICAgICAgICBDT0xPUj0kUkVECiAgICBmaQogICAgcHJpbnRmICJSZXNvdXJjZSBcIiRyZXNvdXJjZVwiIEFjdGlvbiBcIiRhY3Rpb25cIiBDYW5JOiAke0NPTE9SfSRjYW5faSR7TkN9XG4iCiAgZG9uZQpkb25l" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh

Script v2

k8s-check.sh 

#!/bin/bash

resource_names=($(kubectl api-resources -o name))

for resource in "${resource_names[@]}"
do
  actions=($(kubectl api-resources -o wide | grep "pods " | grep -oP "\[[a-z ]*\]" | grep -oP "[a-z ]*"))
  action_allowed=()
  for action in "${actions[@]}"
  do
    can_i_1=$(kubectl auth can-i $action $resource --all-namespaces 2>/dev/null)
    can_i_2=$(kubectl auth can-i $action $resource 2>/dev/null)
    if [ "$can_i_1" = "yes" ] || [ "$can_i_2" = "yes" ]; then
      action_allowed+=($action)
    fi
  done
  if [ ${#action_allowed[@]} -ne 0 ]; then
    IFS='|';echo "Resource \"$resource\" Actions: ${action_allowed[*]// /|}";IFS=$' \t\n'
  fi
done
base64 payload (kubectl) 
echo "IyEvYmluL2Jhc2gKCnJlc291cmNlX25hbWVzPSgkKGt1YmVjdGwgYXBpLXJlc291cmNlcyAtbyBuYW1lKSkKCmZvciByZXNvdXJjZSBpbiAiJHtyZXNvdXJjZV9uYW1lc1tAXX0iCmRvCiAgYWN0aW9ucz0oJChrdWJlY3RsIGFwaS1yZXNvdXJjZXMgLW8gd2lkZSB8IGdyZXAgInBvZHMgIiB8IGdyZXAgLW9QICJcW1thLXogXSpcXSIgfCBncmVwIC1vUCAiW2EteiBdKiIpKQogIGFjdGlvbl9hbGxvd2VkPSgpCiAgZm9yIGFjdGlvbiBpbiAiJHthY3Rpb25zW0BdfSIKICBkbwogICAgY2FuX2lfMT0kKGt1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAtLWFsbC1uYW1lc3BhY2VzIDI+L2Rldi9udWxsKQogICAgY2FuX2lfMj0kKGt1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAyPi9kZXYvbnVsbCkKICAgIGlmIFsgIiRjYW5faV8xIiA9ICJ5ZXMiIF0gfHwgWyAiJGNhbl9pXzIiID0gInllcyIgXTsgdGhlbgogICAgICBhY3Rpb25fYWxsb3dlZCs9KCRhY3Rpb24pCiAgICBmaQogIGRvbmUKICBpZiBbICR7I2FjdGlvbl9hbGxvd2VkW0BdfSAtbmUgMCBdOyB0aGVuCiAgICBJRlM9J3wnO2VjaG8gIlJlc291cmNlIFwiJHJlc291cmNlXCIgQWN0aW9uczogJHthY3Rpb25fYWxsb3dlZFsqXS8vIC98fSI7SUZTPSQnIFx0XG4nCiAgZmkKZG9uZQ==" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh
base64 payload (./kubectl) 
echo "IyEvYmluL2Jhc2gKCnJlc291cmNlX25hbWVzPSgkKC4va3ViZWN0bCBhcGktcmVzb3VyY2VzIC1vIG5hbWUpKQoKZm9yIHJlc291cmNlIGluICIke3Jlc291cmNlX25hbWVzW0BdfSIKZG8KICBhY3Rpb25zPSgkKC4va3ViZWN0bCBhcGktcmVzb3VyY2VzIC1vIHdpZGUgfCBncmVwICJwb2RzICIgfCBncmVwIC1vUCAiXFtbYS16IF0qXF0iIHwgZ3JlcCAtb1AgIlthLXogXSoiKSkKICBhY3Rpb25fYWxsb3dlZD0oKQogIGZvciBhY3Rpb24gaW4gIiR7YWN0aW9uc1tAXX0iCiAgZG8KICAgIGNhbl9pXzE9JCguL2t1YmVjdGwgYXV0aCBjYW4taSAkYWN0aW9uICRyZXNvdXJjZSAtLWFsbC1uYW1lc3BhY2VzIDI+L2Rldi9udWxsKQogICAgY2FuX2lfMj0kKC4va3ViZWN0bCBhdXRoIGNhbi1pICRhY3Rpb24gJHJlc291cmNlIDI+L2Rldi9udWxsKQogICAgaWYgWyAiJGNhbl9pXzEiID0gInllcyIgXSB8fCBbICIkY2FuX2lfMiIgPSAieWVzIiBdOyB0aGVuCiAgICAgIGFjdGlvbl9hbGxvd2VkKz0oJGFjdGlvbikKICAgIGZpCiAgZG9uZQogIGlmIFsgJHsjYWN0aW9uX2FsbG93ZWRbQF19IC1uZSAwIF07IHRoZW4KICAgIElGUz0nfCc7ZWNobyAiUmVzb3VyY2UgXCIkcmVzb3VyY2VcIiBBY3Rpb25zOiAke2FjdGlvbl9hbGxvd2VkWypdLy8gL3x9IjtJRlM9JCcgXHRcbicKICBmaQpkb25lCg==" | base64 --decode > k8s-check.sh && chmod +x k8s-check.sh

chmod +x

chmod +x k8s-check.sh

Run

k8s-check.sh

k8s-check.sh | grep 'yes'

Output for v1

Resource 'pods' Action 'create' CanI: yes
Resource 'pods' Action 'delete' CanI: yes
Resource 'pods' Action 'deletecollection' CanI: yes
Resource 'pods' Action 'get' CanI: yes
Resource 'pods' Action 'list' CanI: yes
Resource 'pods' Action 'patch' CanI: yes
Resource 'pods' Action 'update' CanI: yes
Resource 'pods' Action 'watch' CanI: yes

Output for v2

Resource "pods" Actions: create|delete|deletecollection|get|list|patch|update|watch