How can I audit or examine RBAC Roles for different accounts within a Kubernetes cluster?

Follow
Table of Contents

Question

Access to different resources within Kubernetes is handled by role-based access control (RBAC).

These resources are referenced by the resource name and API group, for example pods within the core/v1 Kubernetes API group or clusters within the management.cattle.io/v3 API group.

A role can be applied (or bound) to different subjects, like a user, group or service account via role bindings, to grant varying degress of access to these resource types at a cluster or namespace level. The access a role grants on a particular resource type is defined by verbs, e.g. get, create, list, watch, delete, and patch etc.

This article details methods by which you can audit or examine role-based access control (RBAC) roles for different accounts within a Kubernetes cluster.

Pre-requisites

  • A Kubernetes cluster
  • kubectl access to the cluster

Answer

To audit a specific account, the kubectl command can use the can-i option with the impersonation API to examine what verbs a user has access to, given a specific namespace.

Basic Usage

Basic usage of the kubectl can-i option takes the following form:

kubectl auth can-i <verb> <resource> --as account --namespace=<namespace> 

Can my user perform all verbs on all resources? Am I an admin?

kuboectl auth can-i "*" "*"

Can the helm serviceaccount delete pods in the current namespace or cluster-wide?

kubectl auth can-i delete pods --as helm 

Is user1234 an admin in the "testing" namespace? Can they perform all verbs on all resources?

kubectl auth can-i "*" "*" --namespace=testing --as user1234

List option gives insight into permissions for a user or account

kubectl auth can-i --list --namespace=testing --as user1234

Additional tools for querying RBAC

Other open-source third-party tools exist for auditing RBAC, many of which use the Krew plugin framework:

  • access-matrix - output a CLI matrix of what users or roles have permissions
  • rbac-lookup - perform lookups given subject queries
  • who-can - see "who-can" perform a certain verb on a resource, like an opposite view of "can-i"

Third-party tools also exist for creating visualizations of the RBAC configuration:

  • RBack - parse the output from the kubectl commands as json, import into visualization in different formats
  • RBAC-view - visualizing RBAC relationships via a dashboard interface

Further Reading

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.