Add example for querying SA permissions

chirangaalwis · sejr · chirangaalwis · commit dc326f0389f1 · 2021-10-11T18:14:39.000+05:30
Add example for querying SA permissions

Add missing example for querying the API authorization layer for checking the permissions of a Service Account

Add missing SA identifying prefix

Improve suggested text to align with current content

Co-authored-by: Sam Roth &lt;2413031+sejr@users.noreply.github.com&gt;

Improve suggested text to align with current content

Co-authored-by: Sam Roth &lt;2413031+sejr@users.noreply.github.com&gt;
diff --git a/content/en/docs/reference/access-authn-authz/authorization.md b/content/en/docs/reference/access-authn-authz/authorization.md
@@ -134,6 +134,21 @@ The output is similar to this:
 no
 ```
 
+Similarly, to check whether a Service Account named `dev-sa` in Namespace `dev`
+can list Pods in the Namespace `target`:
+
+```bash
+kubectl auth can-i list pods \
+	--namespace target \
+	--as system:serviceaccount:dev:dev-sa
+```
+
+The output is similar to this:
+
+```
+yes
+```
+
 `SelfSubjectAccessReview` is part of the `authorization.k8s.io` API group, which
 exposes the API server authorization to external services. Other resources in
 this group include:
