uptime 99
Published in

uptime 99

rbac-lookup: Reverse Lookup for Kubernetes Authorization

If you’ve been working with Kubernetes authorization for any period of time, you’ve likely wanted to know the answer to a very simple question. “How much access does this user have to this cluster?” Unfortunately, that’s always been a surprisingly difficult question to answer. All the relevant Kubernetes APIs allow you to list Role Bindings and Cluster Role Bindings, but never something as simple as what roles are bound to a user.

With that in mind, we built a simple Go CLI, rbac-lookup, to help answer that question. To get started, you can simply download the latest release directly from GitHub or install it with Homebrew:

brew install reactiveops/tap/rbac-lookup

From there you can use rbac-lookup to easily see who has access to which roles. Here’s a quick example:

This shows that “rob@example.com” has cluster-wide view access in addition to edit access within the nginx-ingress namespace. To get this result, rbac-lookup goes through all RoleBindings and ClusterRoleBindings in the cluster, and returns any results where the subject (user, service account, or group) name matches the query.

As a more complete example, you could run a more broad query with a “wide” output flag:

In this case, we see that there are a number of users and even a service account that match the “ro” query. This wide output gives us additional information like the type of subject and the specific source (RoleBinding or ClusterRoleBinding) the access is being granted from.

Hopefully this tool is just as helpful for you as it’s been for us. You can find the project on GitHub. If you’ve got any questions, feel free to reach out to me directly on Twitter or Kubernetes Slack (@robertjscott).

If you’ve made it this far, you’re probably really into Kubernetes and RBAC. If so, you might want to check out our related project, rbac-manager, an operator designed to simplify RBAC management.




We collect, curate, and publish articles on everything cloud, kubernetes, open source, and security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rob Scott

Rob Scott

Kubernetes, Docker, and more @ReactiveOps. Formerly @Spire.

More from Medium

Interacting with k8s cluster using go

Creating a Linkerd Controller in Golang

Boost your OC CLI (Golang example)

Version Control of Configuration Files Using Kubernetes