github alcideio/rbac-tool v1.1.2

latest releases: v1.14.1, v1.14.0, v1.13.0...
20 months ago

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

Don't miss a new rbac-tool release

NewReleases is sending notifications on new releases.