I have a service account called steve running in the default namespace with a role binding to cluster role allowing read access to nodes and /metrics.
How should I interpret the output for kubectl auth can-i --list when it is applied for different namespaces ? More specifically nodes and /metrics are not namespaced, why are they not showing in all outputs?
Case 1) I see nodes and /metrics when listing actions the service account can perform in the default namespace
Case 2) I don’t see nodes and /metrics when listing actions the service account can perform in the kube-system namespace
master $ kubectl auth can-i --list --as=system:serviceaccount:default:steve --namespace=kube-system
Resources Non-Resource URLs Resource Names Verbs
. []
[] []
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/api/] [get]
[/api] [get]
[/apis/] [] [get]
[/apis] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/openapi/] [get]
[/openapi] [get]
[/version/] [get]
[/version/] [get]
[/version] [get]
[/version] [get]
Thank you!