vela auth list-privileges
List privileges for user/group/serviceaccount
Synopsis
List privileges for user
List privileges that user has in clusters. Use --user/--group to check the privileges for specified user and group. They can be jointly configured to see the union of privileges. Use --serviceaccount and -n/--namespace to see the privileges for ServiceAccount. You can also use --kubeconfig to use the identity inside implicitly. The privileges will be shown in tree format.
This command supports listing privileges across multiple clusters, by using --cluster. If not set, the control plane will be used. This feature requires cluster-gateway to be properly setup to use.
The privileges are collected through listing all ClusterRoleBinding and RoleBinding, following the Kubernetes RBAC Authorization. Other authorization mechanism is not supported now. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/ for details.
The ClusterRoleBinding and RoleBinding that matches the specified identity will be tracked. Related ClusterRoles and Roles are retrieved and the contained PolicyRules are demonstrated.
vela auth list-privileges
Examples
# List privileges for User alice in the control plane
vela auth list-privileges --user alice
# List privileges for Group org:dev-team in the control plane
vela auth list-privileges --group org:dev-team
# List privileges for User bob with Groups org:dev-team and org:test-team in the control plane and managed cluster example-cluster
vela auth list-privileges --user bob --group org:dev-team --group org:test-team --cluster local --cluster example-cluster
# List privileges for ServiceAccount example-sa in demo namespace in multiple managed clusters
vela auth list-privileges --serviceaccount example-sa -n demo --cluster cluster-1 --cluster cluster-2
# List privileges for identity in kubeconfig
vela auth list-privileges --kubeconfig ./example.kubeconfig --cluster local --cluster cluster-1
Options
-c, --cluster strings The cluster to list privileges. If not set, the command will list privileges in the control plane. (default [local])
-e, --env string The environment name for the CLI request
-g, --group strings The group to list privileges. Can be set together with --user.
-h, --help help for list-privileges
--kubeconfig string The kubeconfig to list privileges. If set, it will override all the other identity flags.
-n, --namespace --serviceaccount The namespace of the serviceaccount. This flag only works when --serviceaccount is set.
--serviceaccount string The serviceaccount to list privileges. Cannot be set with --user and --group.
-u, --user string The user to list privileges.
Options inherited from parent commands
-y, --yes Assume yes for all user prompts
SEE ALSO
- vela auth - Manage identity and authorizations.