To check the RoleBindings and ClusterRoleBindings associated with a specific service account in Kubernetes, you can use the following commands and techniques:

Steps to Check Service Account Role Bindings

1. List RoleBindings in the Namespace: List all RoleBindings in the namespace where the service account resides.
2. List ClusterRoleBindings: List all ClusterRoleBindings in the cluster.
3. Describe Specific RoleBindings and ClusterRoleBindings: Use the kubectl describe command to get detailed information about specific RoleBindings and ClusterRoleBindings.

Commands

List RoleBindings in the Namespace

To list all RoleBindings in a specific namespace:

kubectl get rolebindings -n <namespace>

Example:

kubectl get rolebindings -n my-namespace

List ClusterRoleBindings

To list all ClusterRoleBindings in the cluster:

kubectl get clusterrolebindings

Describe RoleBindings and ClusterRoleBindings

To get detailed information about a specific RoleBinding or ClusterRoleBinding, use the kubectl describe command.

1. Describe a RoleBinding:

kubectl describe rolebinding <rolebinding-name> -n <namespace>

Example:

kubectl describe rolebinding scale-rolebinding -n my-namespace

2. Describe a ClusterRoleBinding:

kubectl describe clusterrolebinding <clusterrolebinding-name>

Example:

kubectl describe clusterrolebinding clusterrolebinding-name

Example: Finding RoleBindings and ClusterRoleBindings for a Specific Service Account

You can also filter RoleBindings and ClusterRoleBindings to find those associated with a specific service account using kubectl and jq.

1. List and Filter RoleBindings:

kubectl get rolebindings -n my-namespace -o json | jq '.items[] | select(.subjects[]?.kind=="ServiceAccount" and .subjects[]?.name=="cronjob-sa" and .subjects[]?.namespace=="my-namespace") | {name: .metadata.name, roleRef: .roleRef}'

2. List and Filter ClusterRoleBindings:

kubectl get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind=="ServiceAccount" and .subjects[]?.name=="cronjob-sa" and .subjects[]?.namespace=="my-namespace") | {name: .metadata.name, roleRef: .roleRef}'

Example Output

The output will list the RoleBindings and ClusterRoleBindings associated with the specified service account. For example:

{ "name": "scale-rolebinding", "roleRef": { "apiGroup": "rbac.authorization.k8s.io", "kind": "Role", "name": "scale-role" } }{ "name": "example-clusterrolebinding", "roleRef": { "apiGroup": "rbac.authorization.k8s.io", "kind": "ClusterRole", "name": "example-clusterrole" } }

Complete Example

Here’s a complete workflow to check the role bindings for a service account named cronjob-sa in the my-namespace namespace.

1. List RoleBindings:

kubectl get rolebindings -n my-namespace

2. List ClusterRoleBindings:

kubectl get clusterrolebindings

3. Describe a Specific RoleBinding:

kubectl describe rolebinding scale-rolebinding -n my-namespace

4. Describe a Specific ClusterRoleBinding:

kubectl describe clusterrolebinding example-clusterrolebinding

5. Filter RoleBindings for the Service Account:

kubectl get rolebindings -n my-namespace -o json | jq '.items[] | select(.subjects[]?.kind=="ServiceAccount" and .subjects[]?.name=="cronjob-sa" and .subjects[]?.namespace=="my-namespace") | {name: .metadata.name, roleRef: .roleRef}'

6. Filter ClusterRoleBindings for the Service Account:

kubectl get clusterrolebindings -o json | jq '.items[] | select(.subjects[]?.kind=="ServiceAccount" and .subjects[]?.name=="cronjob-sa" and .subjects[]?.namespace=="my-namespace") | {name: .metadata.name, roleRef: .roleRef}'

By following these steps, you can identify which roles and role bindings are associated with a specific service account in your Kubernetes cluster.