rio/debugging-k8s-rbac
dot_config/opencode/skills/debugging-k8s-rbac/SKILL.md
Debugs Kubernetes RBAC and permission issues including Forbidden errors, ServiceAccount permissions, Role/RoleBinding, and ClusterRole/ClusterRoleBinding problems. Use when seeing permission denied, forbidden errors, or ServiceAccount access issues.
$ install --global
skillsauthnpx skillsauth add rio/dotfiles debugging-k8s-rbacInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 19, 2026, 3:05 AM20.2s1 file scanned
SKILL.md
- name:
- debugging-k8s-rbac
- description:
- Debugs Kubernetes RBAC and permission issues including Forbidden errors, ServiceAccount permissions, Role/RoleBinding, and ClusterRole/ClusterRoleBinding problems. Use when seeing permission denied, forbidden errors, or ServiceAccount access issues.
- allowed-tools:
- Bash
Debugging Kubernetes RBAC
Investigates permission and access control issues.
Common RBAC Issues
| Symptom | Likely Cause | First Check |
|---------|-------------|-------------|
| Forbidden error | Missing permission | auth can-i test |
| ServiceAccount can't access | Missing RoleBinding | Check bindings |
| Cross-namespace access denied | Need ClusterRole | Scope of role |
| API access denied in pod | Wrong ServiceAccount | Pod's SA |
Investigation Workflow
Step 1: Test Permissions
# Can current user do action?
kubectl auth can-i <verb> <resource> -n <ns>
# Can ServiceAccount do action?
kubectl auth can-i <verb> <resource> -n <ns> \
--as=system:serviceaccount:<namespace>:<serviceaccount>
# List all permissions for ServiceAccount
kubectl auth can-i --list \
--as=system:serviceaccount:<namespace>:<serviceaccount>
Common verbs: get, list, watch, create, update, patch, delete
Step 2: Check Pod's ServiceAccount
# What ServiceAccount does pod use?
kubectl get pod <pod> -n <ns> -o jsonpath='{.spec.serviceAccountName}'
# ServiceAccount details
kubectl get serviceaccount <sa> -n <ns> -o yaml
# Does ServiceAccount exist?
kubectl get serviceaccount -n <ns>
Step 3: Check RoleBindings
# RoleBindings in namespace (namespace-scoped permissions)
kubectl get rolebinding -n <ns>
# Details of specific binding
kubectl describe rolebinding <binding> -n <ns>
# ClusterRoleBindings (cluster-wide permissions)
kubectl get clusterrolebinding
# Find bindings for a ServiceAccount
kubectl get rolebinding,clusterrolebinding -A -o json | \
jq '.items[] | select(.subjects[]?.name=="<serviceaccount>") | .metadata.name'
Step 4: Check Roles
# Roles in namespace
kubectl get role -n <ns>
# Role details (shows permissions)
kubectl describe role <role> -n <ns>
# ClusterRoles
kubectl get clusterrole
# ClusterRole details
kubectl describe clusterrole <role>
RBAC Components
ServiceAccount (identity)
↓
RoleBinding/ClusterRoleBinding (connects identity to permissions)
↓
Role/ClusterRole (defines permissions)
| Component | Scope | Use For | |-----------|-------|---------| | Role | Namespace | Namespace-scoped resources | | ClusterRole | Cluster | Cluster-scoped or cross-namespace | | RoleBinding | Namespace | Grants Role/ClusterRole in namespace | | ClusterRoleBinding | Cluster | Grants ClusterRole cluster-wide |
Specific Issues
Pod Can't Access Kubernetes API
# Check pod's ServiceAccount
kubectl get pod <pod> -n <ns> -o jsonpath='{.spec.serviceAccountName}'
# Test what that SA can do
kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>
# Check if SA token is mounted
kubectl get pod <pod> -n <ns> -o jsonpath='{.spec.automountServiceAccountToken}'
Forbidden on Specific Resource
# Test the exact action
kubectl auth can-i get pods -n <ns> --as=system:serviceaccount:<ns>:<sa>
# Find what roles allow this action
kubectl get roles -n <ns> -o json | jq '.items[] | select(.rules[].resources[] | contains("pods"))'
Cross-Namespace Access
For cross-namespace access, need:
- ClusterRole (not Role)
- RoleBinding in each target namespace, OR
- ClusterRoleBinding
# Check if ClusterRole exists
kubectl get clusterrole <role>
# Check bindings in target namespace
kubectl get rolebinding -n <target-ns>
Quick Permission Check
# Common checks for a ServiceAccount
SA="system:serviceaccount:<ns>:<sa>"
kubectl auth can-i get pods -n <ns> --as=$SA
kubectl auth can-i list secrets -n <ns> --as=$SA
kubectl auth can-i create deployments -n <ns> --as=$SA
kubectl auth can-i get nodes --as=$SA # cluster-scoped
Debugging Pattern
# 1. Identify the denied action from error message
# "forbidden: User "system:serviceaccount:default:myapp" cannot get pods"
# 2. Test the permission
kubectl auth can-i get pods -n default --as=system:serviceaccount:default:myapp
# 3. Check what bindings exist for that SA
kubectl get rolebinding,clusterrolebinding -A -o wide | grep myapp
# 4. Check what permissions those roles grant
kubectl describe role <role> -n <ns>
Notes
- Default ServiceAccount has minimal permissions
- Pods use
defaultServiceAccount unless specified - ClusterRoleBindings affect all namespaces
- Token automounting can be disabled for security
Related Skills
rio/handoff
documentation
VerifiedTrustedCommunity
Compact the current conversation into a handoff document for another agent to pick up.
40SKILL.mdUpdated May 22, 2026
rio/write-a-skill
development
VerifiedTrustedCommunity
Create new agent skills with proper structure, progressive disclosure, and bundled resources. Use when user wants to create, write, or build a new skill.
40SKILL.mdUpdated May 17, 2026
rio/grill-me
testing
VerifiedTrustedCommunity
Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree. Use when user wants to stress-test a plan, get grilled on their design, or mentions "grill me".
40SKILL.mdUpdated May 17, 2026
rio/retrieving-k8s-logs
development
VerifiedTrustedCommunity
Retrieves Kubernetes container logs with various patterns including multi-container pods, previous container logs, init containers, and label-based aggregation. Use when checking application logs, debugging crashes, or analyzing container output.
39SKILL.mdUpdated Apr 19, 2026