Skip to main content
Version: v1.9

vela auth list-privileges

List privileges for user/group/serviceaccount

Synopsis

List privileges for user

List privileges that user has in clusters. Use --user/--group to check the privileges for specified user and group. They can be jointly configured to see the union of privileges. Use --serviceaccount and -n/--namespace to see the privileges for ServiceAccount. You can also use --kubeconfig to use the identity inside implicitly. The privileges will be shown in tree format.

This command supports listing privileges across multiple clusters, by using --cluster. If not set, the control plane will be used. This feature requires cluster-gateway to be properly setup to use.

The privileges are collected through listing all ClusterRoleBinding and RoleBinding, following the Kubernetes RBAC Authorization. Other authorization mechanism is not supported now. See https://kubernetes.io/docs/reference/access-authn-authz/rbac/ for details.

The ClusterRoleBinding and RoleBinding that matches the specified identity will be tracked. Related ClusterRoles and Roles are retrieved and the contained PolicyRules are demonstrated.

vela auth list-privileges

Examples

  # List privileges for User alice in the control plane
  vela auth list-privileges --user alice
  
  # List privileges for Group org:dev-team in the control plane
  vela auth list-privileges --group org:dev-team
  
  # List privileges for User bob with Groups org:dev-team and org:test-team in the control plane and managed cluster example-cluster
  vela auth list-privileges --user bob --group org:dev-team --group org:test-team --cluster local --cluster example-cluster
  
  # List privileges for ServiceAccount example-sa in demo namespace in multiple managed clusters
  vela auth list-privileges --serviceaccount example-sa -n demo --cluster cluster-1 --cluster cluster-2
  
  # List privileges for identity in kubeconfig
  vela auth list-privileges --kubeconfig ./example.kubeconfig --cluster local --cluster cluster-1

Options

  -c, --cluster strings              The cluster to list privileges. If not set, the command will list privileges in the control plane. (default [local])
  -e, --env string                   The environment name for the CLI request
  -g, --group strings                The group to list privileges. Can be set together with --user.
  -h, --help                         help for list-privileges
      --kubeconfig string            The kubeconfig to list privileges. If set, it will override all the other identity flags.
  -n, --namespace --serviceaccount   The namespace of the serviceaccount. This flag only works when --serviceaccount is set.
      --serviceaccount string        The serviceaccount to list privileges. Cannot be set with --user and --group.
  -u, --user string                  The user to list privileges.

Options inherited from parent commands

  -V, --verbosity Level   number for the log level verbosity
  -y, --yes               Assume yes for all user prompts

SEE ALSO

  • vela auth - Manage identity and authorizations.

Go Back to CLI Commands Homepage.

Auto generated by spf13/cobra script in KubeVela.