rbac-lookup: Reverse Lookup for Kubernetes Authorization - Reactive Ops

Tell us more


rbac-lookup: Reverse Lookup for Kubernetes Authorization

rbac-lookup: Reverse Lookup for Kubernetes Authorization

If you’ve been working with Kubernetes authorization for any period of time, you’ve likely wanted to know the answer to a very simple question. “How much access does this user have to this cluster?” Unfortunately, that’s always been a surprisingly difficult question to answer. All the relevant Kubernetes APIs allow you to list Role Bindings and Cluster Role Bindings, but never something as simple as what roles are bound to a user.

With that in mind, we built a simple Go CLI, rbac-lookup, to help answer that question. To get started, you can simply download the latest release directly from GitHub or install it with Homebrew:

brew install reactiveops/tap/rbac-lookup

From there you can use rbac-lookup to easily see who has access to which roles. Here’s a quick example:

rbac-lookup rob

SUBJECT                   SCOPE             ROLE
[email protected]           cluster-wide      ClusterRole/view
[email protected]           nginx-ingress     ClusterRole/edit

This shows that “[email protected]” has cluster-wide view access in addition to edit access within the nginx-ingress namespace. To get this result, rbac-lookup goes through all RoleBindings and ClusterRoleBindings in the cluster, and returns any results where the subject (user, service account, or group) name matches the query.

As a more complete example, you could run a more broad query with a “wide” output flag:

rbac-lookup ro -owide

SUBJECT                   SCOPE             ROLE                SOURCE
User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
User/[email protected]      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
User/[email protected]     cluster-wide      ClusterRole/admin   ClusterRoleBinding/ross-admin
User/[email protected]      web               ClusterRole/edit    RoleBinding/ron-edit
ServiceAccount/rops       infra             ClusterRole/admin   RoleBinding/rops-admin

In this case, we see that there are a number of users and even a service account that match the “ro” query. This wide output gives us additional information like the type of subject and the specific source (RoleBinding or ClusterRoleBinding) the access is being granted from.

Hopefully this tool is just as helpful for you as it’s been for us. You can find the project on GitHub. If you’ve got any questions, feel free to reach out to me directly on Twitter or Kubernetes Slack (@robertjscott).

If you’ve made it this far, you’re probably really into Kubernetes and RBAC. If so, you might want to check out our related project, rbac-manager, an operator designed to simplify RBAC management.

Other Developer Hub Posts

| Rob Scott

How we manage Kubernetes RBAC and IAM Roles on GKE

Read more

| ReactiveOps

The Benefits of Running Kubernetes on Google Container Engine

Read more

| Eric Hole

kops 102 - An Inside Look at Deploying Kubernetes on...

Read more