how to check whether RBAC is enabled, using kubectl

Asked 9/7, 2018 at 5:56 Answered 27/3 at 2:21

I'm trying to install a helm package on a kubernetes cluster which allegedly has RBAC disabled. I'm getting a permission error mentioning clusterroles.rbac.authorization.k8s.io, which is what I'd expect if RBAC was enabled.

Is there a way to check with kubectl whether RBAC really is disabled?

What I've tried:

kubectl describe nodes --all-namespaces | grep -i rbac : nothing comes up
kubectl describe rbac --all-namespaces | grep -i rbac : nothing comes up
kubectl config get-contexts | grep -i rbac : nothing comes up
k get clusterroles it says "No resources found", not an error message. So does that mean that RBAC is enabled?
kuebctl describe cluster isn't a thing

I'm aware that maybe this is the x-y problem because it's possible the helm package I'm installing is expecting RBAC to be enabled. But still, I'd like to know how to check whether or not it is enabled/disabled.

Boutonniere answered 9/7, 2018 at 5:56 Comment(0)

135

You can check this by executing the command kubectl api-versions; if RBAC is enabled you should see the API version .rbac.authorization.k8s.io/v1.

In AKS, the best way is to check the cluster's resource details at resources.azure.com. If you can spot "enableRBAC": true, your cluster has RBAC enabled. Please note that existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use. (thanks @DennisAmeling for the clarification)

Masto answered 7/11, 2018 at 11:30 Comment(4)

For Azure (AKS) this is a bit more tricky. While the kubectl api-versions indeed returns rbac.authorization.k8s.io/v1, the kubectl get clusterroles doesn't return default system: prefixed roles. The best way to check for AKS is to check the cluster's resource details, e.g. at resources.azure.com. If "enableRBAC": true, your cluster has RBAC enabled. Existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use. So if you want to enable RBAC on AKS, you have to create a new cluster. – Coeliac 16/12, 2018 at 12:16

@DennisAmeling please consider adding this as an independent answer, none of the others worked for me because I was on Azure and difference in RBAC behaviour is very unexpected. – Kinlaw 29/12, 2018 at 11:16

How about kubectl api-versions | grep rbac? – Gremial 2/2, 2019 at 12:47

Another option for Azure AKS is: az aks list and look for "enableRbac": true or false – Fang 2/9, 2019 at 15:59

I wish there was a better way but what I use is:

$ kubectl cluster-info dump | grep authorization-mode

If you can execute it you should either see RBAC listed there or not, and if you don't have the permissions to do it, well, chances are that RBAC is enabled.

Glutamate answered 9/7, 2018 at 6:43 Comment(4)

I tried that. dump doesn't work for me. – Boutonniere 10/7, 2018 at 23:35

After downgrading my kubectl I can now run cluster-info dump. I tried this on a cluster which definitely has RBAC enabled, and there was no output. – Boutonniere 16/7, 2018 at 0:17

If the above command returns no value and no error, what does it means? – Guardafui 14/9, 2018 at 20:29

Leave the second part (the grep command) out for now, what do you see? – Glutamate 15/9, 2018 at 3:21

For Azure (AKS) this is a bit more tricky. While the kubectl api-versions command indeed returns rbac.authorization.k8s.io/v1, the kubectl get clusterroles command doesn't return the default system: prefixed roles.

The best way to check for AKS is to check the cluster's resource details, e.g. at resources.azure.com. If "enableRBAC": true, your cluster has RBAC enabled. Existing non-RBAC enabled AKS clusters cannot currently be updated for RBAC use. So if you want to enable RBAC on AKS, you'll have to create a new cluster.

Coeliac answered 30/12, 2018 at 12:46 Comment(0)

For Azure (AKS) I think Azure CLI works well.

az resource show -g <resource group name> -n <cluster name> --resource-type Microsoft.ContainerService/ManagedClusters --query properties.enableRBAC

It is basically the same thing as using resources.azure.com, but I find it quicker to use the Azure CLI

Implosion answered 3/4, 2019 at 8:48 Comment(2)

The use case I had was that Azure claimed my cluster had RBAC disabled, but it behaved exactly like it would if RBAC was enabled. I wanted to check whether Azure had a bug. (AKS is full of lots of severe bugs, so it's a reasonable suspicion.) – Boutonniere 5/4, 2019 at 3:44

You can also use the cli aks command, e.g.: az aks show -g <resource group name> -n <cluster name> --query enableRbac – Cq 29/5, 2020 at 9:33

None of the other presented solutions are universal or can be relied upon.

They work in some places but not others, including the accepted answer. The only reliable way is to actually test the RBAC API and see if it enforces the permissions. You can do that like this:

Save the following into a file named: no-permissions.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: no-permissions
  namespace: default

Apply it with kubectl apply -f no-permissions.yaml

Now, because there is no role binding for this service account, it can't do anything when RBAC is enabled. This changes when RBAC is disabled.

You can therefore use kubectl to determine if the access permissions are enforced

For example:

RBAC off

> kubectl auth can-i get cm -A --as=system:serviceaccount:default:no-permissions
yes

RBAC on

> kubectl auth can-i get cm -A --as=system:serviceaccount:default:no-permissions
no

In practice I think you might need to create a Role and a RoleBinding as well and test a few other actions, just to be certain. But this is the general idea.

In summary. RBAC will enforce permissions when available and enabled in the cluster. If it's not doing so, then it's not enabled.

Transect answered 24/11, 2022 at 22:47 Comment(0)

Option #1: If you have access to master node then login into and check below

ps -aef | grep -i apiserver
The options should have --authorization-mode=RBAC otherwise RBAC not enabled.

Option #2:

kubectl get clusterroles | grep -i rbac

Janinejanis answered 9/7, 2018 at 11:29 Comment(5)

With option 2, just to clarify: If there is no output, then RBAC is disabled? I expect the cluster to not know what clusterroles are if RBAC is disabled. But I get "No resources found" on one cluster, and on another I get a long list of roles including system:auth-delegator and system:controller:clusterrole-aggregation-controller, but excluding anything mentioning rbac. – Boutonniere 10/7, 2018 at 23:42

I just spun up a cluster with RBAC enabled and option 2 results in no output. – Boutonniere 16/7, 2018 at 0:16

if the scond command "kubectl get clusterroles | grep -i rbac" returns no value and no error, what does it means? – Guardafui 14/9, 2018 at 20:30

like @Boutonniere i too get no output from method #2 above. – Schade 25/9, 2018 at 19:39

what is the output of kubectl api-versions ? In my cluster with RBAC enabled the o/p contains .rbac.authorization.k8s.io/v1 – Janinejanis 26/9, 2018 at 6:17

For AKS if you have multiple clusters (and you do, right?) you can get a tabulated list of enabledRbac properties with

: my-desktop:~:0; az aks list | jq -r '.[]|"Cluster: \(.name) Resource-group: \(.resourceGroup) Enabled: \(.enableRbac) "' | column -t
Cluster:  test                  Resource-group:  dev-stack   Enabled:  false
Cluster:  ftx-cluster-1         Resource-group:  prod        Enabled:  true
Cluster:  ftx-cluster-2         Resource-group:  prod        Enabled:  true
Cluster:  taskrabbit            Resource-group:  newprod     Enabled:  true

Harmonize answered 22/11, 2022 at 14:14 Comment(0)

az aks show -g resource_group_of_your_AKS -n your-cluster-name --query enableRbac -o tsv

Hoosegow answered 27/3 at 2:21 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags