:~$ k -n monitoring get rolebinding monitoring-viewers -o yamlapiVersion: auth

1. :~$ k -n monitoring get rolebinding monitoring-viewers -o yaml
2. apiVersion: authorization.openshift.io/v1
3. groupNames:
4. - monitoring-viewers
5. kind: RoleBinding
6. metadata:
7. name: monitoring-viewers
8. namespace: monitoring
9. roleRef:
10. name: view
11. subjects:
12. - kind: Group
13. name: monitoring-viewers
14. - kind: ServiceAccount
15. name: prom
16. namespace: monitoring
17. userNames:
18. - system:serviceaccount:monitoring:prom
19.  
20. :~$ k -n monitoring get clusterrole view -o yaml
21. aggregationRule:
22. clusterRoleSelectors:
23. - matchLabels:
24. rbac.authorization.k8s.io/aggregate-to-view: "true"
25. apiVersion: authorization.openshift.io/v1
26. kind: ClusterRole
27. metadata:
28. annotations:
29. openshift.io/description: A user who can view but not edit any resources within
30. the project. They can not view secrets or membership.
31. openshift.io/reconcile-protect: "false"
32. labels:
33. kubernetes.io/bootstrapping: rbac-defaults
34. name: view
35. rules:
36. - apiGroups:
37. - ""
38. attributeRestrictions: null
39. resources:
40. - configmaps
41. - endpoints
42. - persistentvolumeclaims
43. - pods
44. - replicationcontrollers
45. - replicationcontrollers/scale
46. - serviceaccounts
47. - services
48. verbs:
49. - get
50. - list
51. - watch
52. - apiGroups:
53. - ""
54. attributeRestrictions: null
55. resources:
56. - bindings
57. - events
58. - limitranges
59. - namespaces/status
60. - pods/log
61. - pods/status
62. - replicationcontrollers/status
63. - resourcequotas
64. - resourcequotas/status
65. verbs:
66. - get
67. - list
68. - watch
69. - apiGroups:
70. - ""
71. attributeRestrictions: null
72. resources:
73. - namespaces
74. verbs:
75. - get
76. - list
77. - watch
78. - apiGroups:
79. - apps
80. attributeRestrictions: null
81. resources:
82. - daemonsets
83. - deployments
84. - deployments/scale
85. - replicasets
86. - replicasets/scale
87. - statefulsets
88. - statefulsets/scale
89. verbs:
90. - get
91. - list
92. - watch
93. - apiGroups:
94. - autoscaling
95. attributeRestrictions: null
96. resources:
97. - horizontalpodautoscalers
98. verbs:
99. - get
100. - list
101. - watch
102. - apiGroups:
103. - batch
104. attributeRestrictions: null
105. resources:
106. - cronjobs
107. - jobs
108. verbs:
109. - get
110. - list
111. - watch
112. - apiGroups:
113. - extensions
114. attributeRestrictions: null
115. resources:
116. - daemonsets
117. - deployments
118. - deployments/scale
119. - ingresses
120. - networkpolicies
121. - replicasets
122. - replicasets/scale
123. - replicationcontrollers/scale
124. verbs:
125. - get
126. - list
127. - watch
128. - apiGroups:
129. - policy
130. attributeRestrictions: null
131. resources:
132. - poddisruptionbudgets
133. verbs:
134. - get
135. - list
136. - watch
137. - apiGroups:
138. - networking.k8s.io
139. attributeRestrictions: null
140. resources:
141. - networkpolicies
142. verbs:
143. - get
144. - list
145. - watch
146. - apiGroups:
147. - ""
148. - build.openshift.io
149. attributeRestrictions: null
150. resources:
151. - buildconfigs
152. - buildconfigs/webhooks
153. - builds
154. verbs:
155. - get
156. - list
157. - watch
158. - apiGroups:
159. - ""
160. - build.openshift.io
161. attributeRestrictions: null
162. resources:
163. - builds/log
164. verbs:
165. - get
166. - list
167. - watch
168. - apiGroups:
169. - build.openshift.io
170. attributeRestrictions: null
171. resources:
172. - jenkins
173. verbs:
174. - view
175. - apiGroups:
176. - ""
177. - apps.openshift.io
178. attributeRestrictions: null
179. resources:
180. - deploymentconfigs
181. - deploymentconfigs/scale
182. verbs:
183. - get
184. - list
185. - watch
186. - apiGroups:
187. - ""
188. - apps.openshift.io
189. attributeRestrictions: null
190. resources:
191. - deploymentconfigs/log
192. - deploymentconfigs/status
193. verbs:
194. - get
195. - list
196. - watch
197. - apiGroups:
198. - ""
199. - image.openshift.io
200. attributeRestrictions: null
201. resources:
202. - imagestreamimages
203. - imagestreammappings
204. - imagestreams
205. - imagestreamtags
206. verbs:
207. - get
208. - list
209. - watch
210. - apiGroups:
211. - ""
212. - image.openshift.io
213. attributeRestrictions: null
214. resources:
215. - imagestreams/status
216. verbs:
217. - get
218. - list
219. - watch
220. - apiGroups:
221. - ""
222. - project.openshift.io
223. attributeRestrictions: null
224. resources:
225. - projects
226. verbs:
227. - get
228. - apiGroups:
229. - ""
230. - quota.openshift.io
231. attributeRestrictions: null
232. resources:
233. - appliedclusterresourcequotas
234. verbs:
235. - get
236. - list
237. - watch
238. - apiGroups:
239. - ""
240. - route.openshift.io
241. attributeRestrictions: null
242. resources:
243. - routes
244. verbs:
245. - get
246. - list
247. - watch
248. - apiGroups:
249. - ""
250. - route.openshift.io
251. attributeRestrictions: null
252. resources:
253. - routes/status
254. verbs:
255. - get
256. - list
257. - watch
258. - apiGroups:
259. - ""
260. - template.openshift.io
261. attributeRestrictions: null
262. resources:
263. - processedtemplates
264. - templateconfigs
265. - templateinstances
266. - templates
267. verbs:
268. - get
269. - list
270. - watch
271. - apiGroups:
272. - ""
273. - build.openshift.io
274. attributeRestrictions: null
275. resources:
276. - buildlogs
277. verbs:
278. - get
279. - list
280. - watch
281. - apiGroups:
282. - ""
283. attributeRestrictions: null
284. resources:
285. - resourcequotausages
286. verbs:
287. - get
288. - list
289. - watch
290. - apiGroups:
291. - servicecatalog.k8s.io
292. attributeRestrictions: null
293. resources:
294. - servicebindings
295. - serviceinstances
296. verbs:
297. - get
298. - list
299. - watch
300. - apiGroups:
301. - servicecatalog.k8s.io
302. attributeRestrictions: null
303. resources:
304. - servicebrokers
305. verbs:
306. - get
307. - apiGroups:
308. - servicecatalog.k8s.io
309. attributeRestrictions: null
310. resources:
311. - servicebrokers
312. verbs:
313. - list
314. - apiGroups:
315. - servicecatalog.k8s.io
316. attributeRestrictions: null
317. resources:
318. - servicebrokers
319. verbs:
320. - watch
321. - apiGroups:
322. - servicecatalog.k8s.io
323. attributeRestrictions: null
324. resources:
325. - serviceclasses
326. verbs:
327. - get
328. - apiGroups:
329. - servicecatalog.k8s.io
330. attributeRestrictions: null
331. resources:
332. - serviceclasses
333. verbs:
334. - list
335. - apiGroups:
336. - servicecatalog.k8s.io
337. attributeRestrictions: null
338. resources:
339. - serviceclasses
340. verbs:
341. - watch
342. - apiGroups:
343. - servicecatalog.k8s.io
344. attributeRestrictions: null
345. resources:
346. - serviceplans
347. verbs:
348. - get
349. - apiGroups:
350. - servicecatalog.k8s.io
351. attributeRestrictions: null
352. resources:
353. - serviceplans
354. verbs:
355. - list
356. - apiGroups:
357. - servicecatalog.k8s.io
358. attributeRestrictions: null
359. resources:
360. - serviceplans
361. verbs:
362. - watch
363.  
364. :~$ k --as=system:serviceaccount:monitoring:prom get ns
365. Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:monitoring:prom" cannot list namespaces at the cluster scope: no RBAC policy matched