From dc326f0389f15b1733266a940bc99da779b251a6 Mon Sep 17 00:00:00 2001
From: Chiranga Alwis <chirangaalwis@gmail.com>
Date: Sun, 10 Oct 2021 02:14:43 +0530
Subject: [PATCH] Add example for querying SA permissions

Add example for querying SA permissions

Add missing example for querying the API authorization layer for checking the permissions of a Service Account

Add missing SA identifying prefix

Improve suggested text to align with current content

Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>

Improve suggested text to align with current content

Co-authored-by: Sam Roth <2413031+sejr@users.noreply.github.com>
---
 .../reference/access-authn-authz/authorization.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md
index 0292ad8130..0698512772 100644
--- a/content/en/docs/reference/access-authn-authz/authorization.md
+++ b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -134,6 +134,21 @@ The output is similar to this:
 no
 ```
 
+Similarly, to check whether a Service Account named `dev-sa` in Namespace `dev`
+can list Pods in the Namespace `target`:
+
+```bash
+kubectl auth can-i list pods \
+	--namespace target \
+	--as system:serviceaccount:dev:dev-sa
+```
+
+The output is similar to this:
+
+```
+yes
+```
+
 `SelfSubjectAccessReview` is part of the `authorization.k8s.io` API group, which
 exposes the API server authorization to external services. Other resources in
 this group include: