How to view the permissions/roles associated with a specific service account in k8s?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
Kubernetes service account permissions come from RBAC bindings, not from the service account object itself. To see what a specific service account can do, you need to inspect RoleBindings/ClusterRoleBindings and use authorization checks. This is critical for security audits and least-privilege enforcement.
Core Sections
Find bindings referencing the service account
This reveals which roles are bound to that account.
Describe specific bindings
Look at Role/ClusterRole references and subjects.
Use kubectl auth can-i impersonation
Most practical way to test effective permissions:
Automate these checks for critical verbs/resources.
Inspect role rules directly
Review rules section for apiGroups/resources/verbs.
Audit periodically
Permissions drift over time; schedule recurring audits and alert on overly broad bindings.
Common Pitfalls
- Looking only at service account YAML and missing binding-derived permissions.
- Forgetting namespace context when evaluating RoleBinding scope.
- Assuming ClusterRole implies cluster-wide access without checking binding target.
- Skipping effective permission tests with
kubectl auth can-i. - Leaving stale broad bindings after temporary troubleshooting access.
Implementation Playbook
To make this technique dependable in production, treat implementation as a repeatable operating pattern rather than a one-time code change. Start by defining a baseline with known inputs, expected outputs, and measurable latency or resource behavior. Baselines are essential because many failures emerge after environment drift, dependency upgrades, or infrastructure changes that do not touch your business logic directly. With a baseline, you can quickly identify whether a regression came from code, configuration, or platform behavior.
Next, build a compact validation matrix that exercises three categories: normal behavior, edge cases, and explicit failure modes. Keep tests deterministic and cheap enough to run in local development and CI. If your flow depends on external services, include contract fixtures or mocks for fast checks and reserve a smaller set of integration tests for environment verification. Pair correctness checks with observability: log correlation identifiers, branch decisions, and output status in structured form so incidents can be diagnosed without guesswork.
Before rollout, define operational controls up front. Specify timeout values, retry policy, fallback behavior, and rollback triggers. Roll out incrementally instead of changing multiple risk dimensions at once. A staged rollout reduces blast radius and makes it easier to attribute behavior changes to one cause. Capture final operating assumptions in a short runbook: prerequisites, compatibility constraints, known warning signs, and first-response actions. This prevents repeated rediscovery and improves handoff quality across teams.
Use this execution checklist every time you modify this part of the system:
Final Deployment Note
Before rollout, execute one final smoke test in an environment that matches production topology as closely as possible. Validate not only functional output but also observability signals such as logs, metrics, and error counters so silent regressions are visible immediately. If behavior differs from baseline, revert quickly and compare dependency versions, environment variables, and infrastructure assumptions before retrying. A short, repeatable pre-release check usually saves far more incident time than it costs during delivery.
Summary
To view a service account’s permissions, trace its RBAC bindings and validate effective access with impersonated can-i checks. This gives a practical and auditable view of real capabilities.
