Identify your permissions on IBM Cloud Private

IBM Cloud Private implements a Role Based Access Control (RBAC) defining the permissions a user has on the platform. When your user is created in a team, a role is assigned to him (Cluster administrator, Administrator, Operator, Editor or Viewer).

Basically, the different roles of a team member are aligned with the CRUD model, as described in the following table:

Allowed actions based on IAM role inside a team

Although the theory is simple, the reality could be a little more complex. A user could be a member of several teams with a different profile in each team. So, the permissions he has on the resources of one team could be different from another team.

The second point to consider is role binding. Basically, the predefined roles come with some permissions on Kubernetes resources. By using role bindings (Clusterrolebindings or Rolebindings), a Cluster administrator or an Administrator could provide additional permissions to your user.

So the question is : How do I know what my permissions are on the resources of a given namespace ?

The Kubernetes client provides a command, kubectl auth can-i, which allows you to check whether an action is allowed for a user. The following command shows if your user has the permission to get the namespace list:

kubectl auth can-i get namespaces

Although the kubectl auth can-i command is useful, it is limited to one action and one resource. You can replace the action and the resource with a *, meaning all, but the answer is global. It doesn’t provide details for each action or resource.

If you want to get the details, you can make a query on each resource / action. Rather than making all the queries manually, you can script it. The bash script, https://github.com/jtarte/ICp-Tips/blob/master/RBAC/mypermissions.sh , executes a query on each resource / action. The result is a csv output that gives the details of the user’s permissions.

You can execute the script with this command:

./myprivileges.sh -n nsta

The parameter -n <NAMESPACE> is optional. Use it if you want to get information about another namespace. By default, the command executes the queries on your current context namespace.

The results look like the following example:

Since the output is provided in csv format, you can import it into a tool that formats a csv file, if needed for better understanding.

By using this script, you can get a detailed view of the permissions of your user.