It appears kubectl has first-class support via api-resources like:

$ kubectl api-resources -o wide
$ kubectl api-resources --api-group certificates.k8s.io -o wide
$ kubectl api-resources --namespaced -o wide

Alternatively, we can use curl to query Kubernetes API, but we have to expose the API endpoint first:

$ kubectl proxy --port 8080 &

Lookup API groups (known as named groups)

$ GROUP_NAME="certificates.k8s.io"
$ RESOURCE_NAME="certificatesigningrequests"
$ curl -s http://localhost:8080/apis | jq -r '.groups[] | .name'
$ curl -s http://localhost:8080/apis | jq -r --arg group_name "$GROUP_NAME" '.groups[] | select(.name | contains($group_name))'
$ api_uri=$(curl -s http://localhost:8080/apis | jq -r --arg group_name "$GROUP_NAME" '.groups[] | select(.name | contains($group_name)) | .preferredVersion.groupVersion')
$ curl -s http://localhost:8080/apis/$api_uri | jq -r '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")'
$ curl -s http://localhost:8080/apis/$api_uri | jq -r --arg resource_name "$RESOURCE_NAME" '.resources[] | select(.name | contains($resource_name)) | [.name, (.verbs | join(" "))] | join(" = ")'

Lookup core APIs (known as legacy)

$ RESOURCE_NAME="configmaps"
$ curl -s http://localhost:8080/api/v1 | jq -r '.resources[] | .name'
$ curl -s http://localhost:8080/api/v1 | jq -r '.resources[] | [.name, (.verbs | join(" "))] | join(" = ")'
$ curl -s http://localhost:8080/api/v1 | jq -r --arg resource_name "$RESOURCE_NAME" '.resources[] | select(.name | contains($resource_name)) | [.name, (.verbs | join(" "))] | join(" = ")'

Reference

https://kubernetes.io/docs/reference/using-api/#api-groups