rbac-lookup: Reverse Lookup for Kubernetes Authorization
If you’ve been working with Kubernetes authorization for any period of time, you’ve likely wanted to know the answer to a very simple question. “How much access does this user have to this cluster?” Unfortunately, that’s always been a surprisingly difficult question to answer. All the relevant Kubernetes APIs allow you to list Role Bindings and Cluster Role Bindings, but never something as simple as what roles are bound to a user.
With that in mind, we built a simple Go CLI, rbac-lookup, to help answer that question. To get started, you can simply download the latest release directly from GitHub or install it with Homebrew:
brew install reactiveops/tap/rbac-lookup
From there you can use rbac-lookup to easily see who has access to which roles. Here’s a quick example:
This shows that “email@example.com” has cluster-wide view access in addition to edit access within the nginx-ingress namespace. To get this result, rbac-lookup goes through all RoleBindings and ClusterRoleBindings in the cluster, and returns any results where the subject (user, service account, or group) name matches the query.
As a more complete example, you could run a more broad query with a “wide” output flag:
In this case, we see that there are a number of users and even a service account that match the “ro” query. This wide output gives us additional information like the type of subject and the specific source (RoleBinding or ClusterRoleBinding) the access is being granted from.
Hopefully this tool is just as helpful for you as it’s been for us. You can find the project on GitHub. If you’ve got any questions, feel free to reach out to me directly on Twitter or Kubernetes Slack (@robertjscott).
If you’ve made it this far, you’re probably really into Kubernetes and RBAC. If so, you might want to check out our related project, rbac-manager, an operator designed to simplify RBAC management.