Kubernetes RBAC默认用户

Question

I'm reading myself currently into RBAC and am using Docker For Desktop with a local Kubernetes cluster enabled.

If I run kubectl auth can-i get pods which user or group or serviceaccount is used by default?

Is it the same call like:

kubectl auth can-i get pods --as docker-for-desktop --as-group system:serviceaccounts ?

kubectl config view shows:

contexts:
- context:
    cluster: docker-for-desktop-cluster
    namespace: default
    user: docker-for-desktop
  name: docker-for-desktop
...
users:
- name: docker-for-desktop
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

But simply calling kubectl auth can-i get pods --as docker-for-desktop returns NO.

Thanks, Kim

Answer 1

To answer your question

If I run kubectl auth can-i get pods which user or group or serviceaccount is used by default?

As you can read on Configure Service Accounts for Pods :

When you (a human) access the cluster (for example, using kubectl ), you are authenticated by the apiserver as a particular User Account (currently this is usually admin , unless your cluster administrator has customized your cluster). Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default ).

You can use kubectl get serviceaccount to see what serviceaccounts are setup in the cluster. Try checking which contexts you have available and switching into a which ever you need:

kubectl config get-contexts

kubectl config use-context docker-for-desktop

If you are experiencing an issue with missing Role please check Referring to Resources to set they correctly for docker-for-desktop