akoserwal/gist:0227d6b9690afb2e51f50e7ec6bc6f2a

## gistfile1.txt
kubectl create -f - -o yaml << EOF apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kafka-cluster-admin-role
rules:
- apiGroups: ["kafka.io"]
  resources: ["topics/test/abc"]
  verbs: ["create", "delete"]
EOF

bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6
I0912 19:55:49.456858   93219 loader.go:374] Config loaded from file:  .kcp/admin.kubeconfig
I0912 19:55:49.486541   93219 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 29 milliseconds
I0912 19:55:49.495102   93219 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds
role.rbac.authorization.k8s.io/kafka-cluster-admin-role created

kubectl create -f - -o yaml << apiVersion: v1
kind: ServiceAccount
metadata:
  name: kafka-client-1
EOF


➜  bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/sa-kakfa-client-1.yaml -v 6
I0912 19:56:06.460694   93417 loader.go:374] Config loaded from file:  .kcp/admin.kubeconfig
I0912 19:56:06.487138   93417 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds
I0912 19:56:06.494533   93417 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 2 milliseconds
serviceaccount/kafka-client-1 created


➜  bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6


➜  bin git:(main) ✗ kubectl create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
spec:
  resourceAttributes:
    group: kafka.io
    resource: topics/test/abc
    verb: create
    namespace: default
  user: "system:serviceaccount:default:kafka-client-1"
EOF

output:

apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
metadata:
  creationTimestamp: null
spec:
  resourceAttributes:
    group: kafka.io
    namespace: default
    resource: topics/test/abc
    verb: create
  user: system:serviceaccount:default:kafka-client-1
status:
  allowed: false
  reason: workspace access not permitted


kubectl create -f - -o yaml << apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kafka-cluster-admin-role-binding-
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kafka-cluster-admin-role
subjects:
- kind: ServiceAccount
  name: kafka-client-1
  namespace: default
 EOF

➜  bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_rolebinding.yaml -v 6

I0912 19:57:04.553579   93863 loader.go:374] Config loaded from file:  .kcp/admin.kubeconfig
I0912 19:57:04.580122   93863 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds
I0912 19:57:04.588397   93863 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds
rolebinding.rbac.authorization.k8s.io/kafka-cluster-admin-role-binding- created


➜  bin git:(main) ✗ kubectl -v 6 create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
spec:
  resourceAttributes:
    group: kafka.io
    resource: topics/test/abc
    verb: create
    namespace: default
  user: "system:serviceaccount:default:kafka-client-1"
EOF

I0912 19:57:14.416976   93942 loader.go:374] Config loaded from file:  .kcp/admin.kubeconfig
I0912 19:57:14.443216   93942 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 25 milliseconds
I0912 19:57:14.448164   93942 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/authorization.k8s.io/v1/subjectaccessreviews?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 1 milliseconds
apiVersion: authorization.k8s.io/v1
kind: SubjectAccessReview
metadata:
  creationTimestamp: null
spec:
  resourceAttributes:
    group: kafka.io
    namespace: default
    resource: topics/test/abc
    verb: create
  user: system:serviceaccount:default:kafka-client-1
status:
  allowed: false
  reason: workspace access not permitted
	kubectl create -f - -o yaml << EOF apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: kafka-cluster-admin-role
	rules:
	- apiGroups: ["kafka.io"]
	resources: ["topics/test/abc"]
	verbs: ["create", "delete"]
	EOF

	bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6
	I0912 19:55:49.456858 93219 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig
	I0912 19:55:49.486541 93219 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 29 milliseconds
	I0912 19:55:49.495102 93219 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/roles?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds
	role.rbac.authorization.k8s.io/kafka-cluster-admin-role created

	kubectl create -f - -o yaml << apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: kafka-client-1
	EOF



	➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/sa-kakfa-client-1.yaml -v 6
	I0912 19:56:06.460694 93417 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig
	I0912 19:56:06.487138 93417 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds
	I0912 19:56:06.494533 93417 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/api/v1/namespaces/default/serviceaccounts?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 2 milliseconds
	serviceaccount/kafka-client-1 created



	➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_role.yaml -v 6


	➜ bin git:(main) ✗ kubectl create -f - -o yaml << EOF
	apiVersion: authorization.k8s.io/v1
	kind: SubjectAccessReview
	spec:
	resourceAttributes:
	group: kafka.io
	resource: topics/test/abc
	verb: create
	namespace: default
	user: "system:serviceaccount:default:kafka-client-1"
	EOF

	output:

	apiVersion: authorization.k8s.io/v1
	kind: SubjectAccessReview
	metadata:
	creationTimestamp: null
	spec:
	resourceAttributes:
	group: kafka.io
	namespace: default
	resource: topics/test/abc
	verb: create
	user: system:serviceaccount:default:kafka-client-1
	status:
	allowed: false
	reason: workspace access not permitted



	kubectl create -f - -o yaml << apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: kafka-cluster-admin-role-binding-
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: kafka-cluster-admin-role
	subjects:
	- kind: ServiceAccount
	name: kafka-client-1
	namespace: default
	EOF

	➜ bin git:(main) ✗ kubectl create -f authz-experiments/kube-rbac-sar-ex/kafka_clusteradmin_rolebinding.yaml -v 6

	I0912 19:57:04.553579 93863 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig
	I0912 19:57:04.580122 93863 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 26 milliseconds
	I0912 19:57:04.588397 93863 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 3 milliseconds
	rolebinding.rbac.authorization.k8s.io/kafka-cluster-admin-role-binding- created


	➜ bin git:(main) ✗ kubectl -v 6 create -f - -o yaml << EOF
	apiVersion: authorization.k8s.io/v1
	kind: SubjectAccessReview
	spec:
	resourceAttributes:
	group: kafka.io
	resource: topics/test/abc
	verb: create
	namespace: default
	user: "system:serviceaccount:default:kafka-client-1"
	EOF

	I0912 19:57:14.416976 93942 loader.go:374] Config loaded from file: .kcp/admin.kubeconfig
	I0912 19:57:14.443216 93942 round_trippers.go:553] GET https://192.168.29.16:6443/clusters/root/openapi/v2?timeout=32s 200 OK in 25 milliseconds
	I0912 19:57:14.448164 93942 round_trippers.go:553] POST https://192.168.29.16:6443/clusters/root/apis/authorization.k8s.io/v1/subjectaccessreviews?fieldManager=kubectl-create&fieldValidation=Strict 201 Created in 1 milliseconds
	apiVersion: authorization.k8s.io/v1
	kind: SubjectAccessReview
	metadata:
	creationTimestamp: null
	spec:
	resourceAttributes:
	group: kafka.io
	namespace: default
	resource: topics/test/abc
	verb: create
	user: system:serviceaccount:default:kafka-client-1
	status:
	allowed: false
	reason: workspace access not permitted