Access to different resources within Kubernetes is handled by role-based access control (RBAC).
These resources are referenced by the resource name and API group, for example pods within the core/v1 Kubernetes API group or clusters within the management.cattle.io/v3 API group.
A role can be applied (or bound) to different subjects, like a user, group or service account via role bindings, to grant varying degress of access to these resource types at a cluster or namespace level. The access a role grants on a particular resource type is defined by verbs, e.g. get, create, list, watch, delete, and patch etc.
This article details methods by which you can audit or examine role-based access control (RBAC) roles for different accounts within a Kubernetes cluster.
- A Kubernetes cluster
- kubectl access to the cluster
To audit a specific account, the kubectl command can use the can-i option with the impersonation API to examine what verbs a user has access to, given a specific namespace.
Basic usage of the kubectl can-i option takes the following form:
kubectl auth can-i <verb> <resource> --as account --namespace=<namespace>
Can my user perform all verbs on all resources? Am I an admin?
kuboectl auth can-i "*" "*"
Can the helm serviceaccount delete pods in the current namespace or cluster-wide?
kubectl auth can-i delete pods --as helm
Is user1234 an admin in the "testing" namespace? Can they perform all verbs on all resources?
kubectl auth can-i "*" "*" --namespace=testing --as user1234
List option gives insight into permissions for a user or account
kubectl auth can-i --list --namespace=testing --as user1234
Additional tools for querying RBAC
Other open-source third-party tools exist for auditing RBAC, many of which use the Krew plugin framework:
- access-matrix - output a CLI matrix of what users or roles have permissions
- rbac-lookup - perform lookups given subject queries
- who-can - see "who-can" perform a certain verb on a resource, like an opposite view of "can-i"
Third-party tools also exist for creating visualizations of the RBAC configuration:
- RBack - parse the output from the kubectl commands as json, import into visualization in different formats
- RBAC-view - visualizing RBAC relationships via a dashboard interface