<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=521127644762074&amp;ev=PageView&amp;noscript=1">

rbac-lookup: Reverse Lookup for Kubernetes Authorization

If you’ve been working with Kubernetes authorization for any period of time, you’ve likely wanted to know the answer to a very simple question. “How much access does this user have to this cluster?” Unfortunately, that’s always been a surprisingly difficult question to answer. All the relevant Kubernetes APIs allow you to list Role Bindings and Cluster Role Bindings, but never something as simple as what roles are bound to a user.

With that in mind, we built a simple Go CLI, rbac-lookup, to help answer that question. To get started, you can simply download the latest release directly from GitHub or install it with Homebrew:

brew install reactiveops/tap/rbac-lookup

From there you can use rbac-lookup to easily see who has access to which roles. Here’s a quick example:

rbac-lookup rob

SUBJECT                   SCOPE             ROLE
rob@example.com           cluster-wide      ClusterRole/view
rob@example.com           nginx-ingress     ClusterRole/edit

This shows that “rob@example.com” has cluster-wide view access in addition to edit access within the nginx-ingress namespace. To get this result, rbac-lookup goes through all RoleBindings and ClusterRoleBindings in the cluster, and returns any results where the subject (user, service account, or group) name matches the query.

As a more complete example, you could run a more broad query with a “wide” output flag:

rbac-lookup ro -owide

SUBJECT                   SCOPE             ROLE                SOURCE
User/rob@example.com      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
User/rob@example.com      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
User/ross@example.com     cluster-wide      ClusterRole/admin   ClusterRoleBinding/ross-admin
User/ron@example.com      web               ClusterRole/edit    RoleBinding/ron-edit
ServiceAccount/rops       infra             ClusterRole/admin   RoleBinding/rops-admin

In this case, we see that there are a number of users and even a service account that match the “ro” query. This wide output gives us additional information like the type of subject and the specific source (RoleBinding or ClusterRoleBinding) the access is being granted from.

Hopefully this tool is just as helpful for you as it’s been for us. You can find the project on GitHub. If you’ve got any questions, feel free to reach out to me directly on Twitter or Kubernetes Slack (@robertjscott).

If you’ve made it this far, you’re probably really into Kubernetes and RBAC. If so, you might want to check out our related project, rbac-manager, an operator designed to simplify RBAC management.


Download the Open Source Guide