Skip to content

Releases: alcideio/rbac-tool

v1.7.1

16 Jun 05:24
@github-actions github-actions
v1.7.1
11bd12a
Compare
Choose a tag to compare
v1.7.1

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • The deprecated PodSecurityPolicy are switched off by default
  • When PSP permission are missing the commands would still work
  • Migrate to Go 1.17

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 9
Loading

v1.6.3

27 Jan 17:51
@github-actions github-actions
v1.6.3
880d95f
Compare
Choose a tag to compare
v1.6.3

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.6.2

18 Nov 08:27
@github-actions github-actions
v1.6.2
7c64cc6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.2

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.6.1

01 Nov 08:39
@github-actions github-actions
v1.6.1
f4b5676
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.1

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • Fix Mac M1 support (#46)

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.6.0

25 Oct 07:52
@github-actions github-actions
v1.6.0
bd71ae5
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.6.0

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • Added rule origin (Role/ClusterRole) information when running rbac-tool policy-rules (#43 )
  • rbac-tool policy-rules table output is sorted across more column for clarity

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.5.0

19 Oct 13:33
@github-actions github-actions
v1.5.0
fb1e18c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.5.0

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • Added new analysis rules for OPA Gatekeeper (#42 )

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.4.1

13 Oct 18:15
@github-actions github-actions
v1.4.1
45249fd
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.1

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • Added Cluster Analysis Rules to cover (#41)
    • Networking and Network Access related permissions
    • Admission Controllers related permissions
    • Installing or Modifying Cluster Extensions (CRDs)

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.4.0

11 Oct 12:30
@github-actions github-actions
v1.4.0
f21c997
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.4.0

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • Added new analysis rules for storage resources (#40)

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.3.0

29 Sep 17:41
@github-actions github-actions
v1.3.0
5c72dcf
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.3.0

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

What's New

  • New analysis command - Analyze RBAC permissions and highlight overly permissive principals, risky permissions
  • Add support for special RBAC verbs (#36)

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
rbac-tool analysis -o table

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list

# Analyze cluster RBAC permissions to identify overly permissive roles and principals
kubectl rbac-tool analysis -o table
Assets 10
Loading

v1.2.1

05 Sep 11:55
@github-actions github-actions
v1.2.1
2beb5f6
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.2.1

insightCloudSec | insightCloudSec | RBAC TOOL

A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity

Install

Standalone

curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash

kubectl plugin // krew //

$ kubectl krew install rbac-tool

Command Line Examples (Standalone)

# Show which users/groups/service accounts are allowed to read secrets in the cluster pointed by kubeconfig
rbac-tool who-can get secrets

# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx

# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
# Render Online
https://dreampuf.github.io/GraphvizOnline

# Search All Service Accounts That Contains myname
rbac-tool lookup -e '.*myname.*'

# Lookup all accounts that DO NOT start with system: )
rbac-tool lookup -ne '^system:.*'

# List policy rules for users (or all of them)
rbac-tool policy-rules -e '^system:anonymous'

# Generate from Audit events & Visualize 
rbac-tool auditgen -f testdata  | rbac-tool viz   -f -

# Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*
rbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list

kubectl rbac-tool ...

# Generate HTML visualzation of your RBAC permissions
kubectl rbac-tool viz

# Query who can read secrets
kubectl rbac-tool who-can get secret

# Generate a ClusterRole policy that allows to read everything except secrets and services
kubectl rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
Assets 10
Loading