查看kubectl config文件中的权限信息

有时候调试问题的时候,只有一份kubeconfig文件,可以根据这个文件获取当前用户的权限,方便下一步的调试。

把config文件中的client-certificate-data内容,或者.crt文件拿出来用openssl解析一下。

1
2
3
4
5
6
# 直接处理内容
$ echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJWkVMQmxCUDl4dmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBeU1EZ3dOak0xTWpKYUZ3MHlOREF6TURVd016QXdNREZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXRubG93TUYxeXVHS1c2R2QKVVp3M09OQ3pqVGcyUDRpbU00SHZlU29ZNFdHRmRMQitnQ2tPSmtCTUpYYU92c2UrYStwOVhMYVJjVUwwN2RWdQo5NUVQYStIUWx3VE5UYVRZRXRtNGFHZHhOMUY5L0pxejZGejVXeUZKSTBnOEVCNDVEVGw1WVhuV0E0YzlXcHBDCmF3Y0N2c0lvK0RoRWowSjFMeFlMTHhDSTVha05pWWdKYlJ5NDhiallSengrdDBoUjJEUjZCRmtibUg4a1Z6NmwKNFduSDRHZGhJRWNhV1g5UUxaQnY1QmNDRDRoN3J0V0J1WFd5NVRtUGViRE1nTC9aQmVERVBUTGFRRUVZSDNkbwpGM1dFcGV5QXFsMHc4UHVzWnllRnpIcUY3c2lzYnZWaFAxN2xhSzNtRmloSDNkVG0rN3RieWNtRnQzTk1RVzZjCmtwbkVrd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JRaWN3TzROU2hyeU1ib0VVVUNCTjNVU1RMZgo4akFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVDF5MEtFa1Y5Sm05aU5TRklpeE5raXRjTFVwamJCS2FOSVNNCjI3T2hLWFZWRXdORzRuaERHanQrZFZNa2RhTTFvVlpqRVg2M09CeFdxYnFZNUhSWnZGZi9PUkpGaXo2cUxlbmIKSlJxMk5zSWswdHdpdTZXeFB5WERHOFcxenEvZHdxcmFQOVFlZGd1SFRQMGgrSHd6TFVzalJFSE9SanNOYzUvawpUbWM4andnN2VSckNUamU2Ym41RlNuam1CU0ZOaGM0TGlFZXllVXVpREViOVI2ZG96U1RrdFZHWEFldnlHT1BzCk1PcWJTRTRsT3FsbnZWcTVFd3J0N3ZhZEdmYzRNRDdCWnFLdzBNdkhPckFnb251T1BnM1UrWDlUODNhQ2NZVkgKcmxKaWdybkowc3ZkYjI2WEhKWDZiU3ZnWFpZb3c2S1pGY1liOTdJQURUVDBma0pNZUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" | base64 -d | openssl x509 -noout -text

# 处理.crt文件

$ openssl x509 -in cluster.crt -noout -text

openssl输出的内容里包含如下一段:

1
Subject: O=system:masters, CN=kubernetes-admin

这里面的O=对应的就是K8S里的Group,CN=对应的就是user, 剩下的就是cluster里去找对应rolebinding, clusterrolebinding, role和clusterrole就可以了。

Notice: 正常情况下,这里会有一个基于utteranc.es的留言系统,如果看不到,可能需要科学上网方式。