Releases: alcideio/rbac-tool
v1.14.1
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- fix crash on MacOS Ventura
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Show the subject information of the the one authenticates against the current cluster context
rbac-tool whoami
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
# Show the subject information of the the one authenticates against the current cluster context
kubectl rbac-tool whoami
v1.14.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- New command
whoami
- Command output now goes to stdout
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Show the subject information of the the one authenticates against the current cluster context
rbac-tool whoami
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
# Show the subject information of the the one authenticates against the current cluster context
kubectl rbac-tool whoami
v1.13.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.12.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.11.1
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.11.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- New rbac analysis rules to capture risky permissions
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.10.1
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- Go 1.19
- Dependencies update
- Added a new command
show
that generate the explicit set of permissions available for resources (and their subresourcea)
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.10.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- Added a new command
show
that generate the explicit set of permissions available for resources (and their subresourcea)
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a ClusterRole with all the available permissions for core and apps api groups
rbac-tool show --for-groups=,apps
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
# Generate a ClusterRole with all the available permissions for core and apps api groups
kubectl rbac-tool show --for-groups=,apps
v1.9.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- Fixed bash completion
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
v1.8.0
| insightCloudSec | RBAC TOOL
A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity
What's New
- Added Analysis Rule for Gateway API Resources
Install
Standalone
curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash
kubectl plugin // //
$ kubectl krew install rbac-tool
Command Line Examples (Standalone)
# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table
# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'
# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'
# Generate from Audit events & Visualize
rbac-tool auditgen -f testdata | rbac-tool viz -f -
# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
kubectl rbac-tool ...
# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz
# Query who can read secrets
kubectl rbac-tool who-can get secret
# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table