Skip to content

A collection of good practices and tools for Kubernetes RBAC

License

Notifications You must be signed in to change notification settings

mhausenblas/rbac.dev

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
 
 
 
 
 
 
 
 

Repository files navigation

A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.

For recipes, tips and tricks around RBAC see recipes.rbac.dev.

Official Kubernetes docs

Talks and articles

Tooling

  • cyberark/KubiScan: a tool by Eviatar Gerzi to scan Kubernetes cluster for risky RBAC permissions
  • appvia/krane: a Kubernetes RBAC static analysis and visualisation tool
  • alcideio/rbac-tool: Collection of Kubernetes RBAC power toys - Visualize, Generate & Query by Alcide

Generators and operators

  • liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
  • fairwindsops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.
  • rond-authz/rond: Rönd is a lightweight container that distributes security policy enforcing throughout your application.

Interactive queries

  • corneliusweig/rakkess: show an access matrix for server resources.
  • fairwindsops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
  • sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
  • Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
  • aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
  • mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.

Visualization

  • jasonrichardsmith/rbac-view: visualizes RBAC permissions in tabular format in your browser.
  • team-soteria/rback: generates a graph representation (in Graphviz dot format) of a Kubernetes cluster's RBAC settings.
  • sighupio/permission-manager: super-easy and user-friendly RBAC management for Kubernetes. You can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice and easy web UI.

Releases

No releases published

Packages

No packages published