If you want to just update Role of User. You can do in the following way db.updateUser( “userName”, { roles : [ { role : “dbAdmin”, db : “dbName” }, { role : “readWrite”, db : “dbName” } ] } ) Note:- This will override only roles for that user.
WindowsPrincipal.IsInRole just checks if the user is a member of the group with that name; a Windows Group is a Role. You can get a list of the groups that a user is a member of from the WindowsIdentity.Groups property. You can get WindowsIdentity from your WindowsPrincipal: WindowsIdentity identity = WindowsPrincipal.Identity as WindowsIdentity; or you … Read more
A default service account is automatically created for each namespace. kubectl get serviceaccount NAME SECRETS AGE default 1 1d Service accounts can be added when required. Each pod is associated with exactly one service account but multiple pods can use the same service account. A pod can only use one service account from the same … Read more
Answer recommended by Microsoft Azure Collective
The following command could help. It basically gets the RoleBindings and ClusterRoleBindings which .subjects[0] is the name of the ServiceAccount. $ kubectl get rolebinding,clusterrolebinding –all-namespaces -o jsonpath=”{range .items[?(@.subjects[0].name==”SERVICE_ACCOUNT_NAME”)]}[{.roleRef.kind},{.roleRef.name}]{end}” Note: it will not list the RoleBindings / ClusterRoleBindings which contain several objects in the subject field For instance, if weave-net is deployed as the network plugin, … Read more
You can get quite a bit of info via this: kubectl api-resources –sort-by name -o wide The above api-resources command is explicit and easy to grep. The complete list of possible verbs can be obtained thus: $ kubectl api-resources –no-headers –sort-by name -o wide | sed ‘s/.*\[//g’ | tr -d “]” | tr ” ” … Read more
You can simply reference a ServiceAccount from another namespace in the RoleBinding: apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: pod-reader namespace: ns2 rules: – apiGroups: [“”] resources: [“pods”] verbs: [“get”, “list”, “watch”] — apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pod-reader-from-ns1 namespace: ns2 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pod-reader subjects: – kind: ServiceAccount name: ns1-service-account namespace: … Read more
Admittedly, late to the party here. Have a read through the Kubernetes ‘Authenticating’ docs. Kubernetes does not have an in-built mechanism for defining and controlling users (as distinct from ServiceAccounts which are used to provide a cluster identity for Pods, and therefore services running on them). This means that Kubernetes does not therefore have any … Read more
To my rather basic knowledge in that area, the basic actors of an RBAC are: Resources. Permissions. Users. Roles (i.e. Groups). Resources <- require -> (one or many) Permissions. Roles <- are collections of -> (one or many) Permissions. Users <- can have -> (one or many) Roles. The tables for such a model would … Read more