rbac-tool
Changes
- Bug fixes
- Visualize PodSecurityPolicy references (rbac-tool viz)
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
Install
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
Command Line Examples
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list