-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
19 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,19 +27,10 @@ [email protected] cluster-wide ClusterRole/view | |
| [email protected] nginx-ingress ClusterRole/edit | ||
| ``` | ||
|
|
||
| The wide output option includes the kind of subject (user, service account, or group), along with the source role binding. | ||
| The wide output option includes the kind of subject along with the source role binding. | ||
|
|
||
| ``` | ||
| rbac-lookup rob -owide | ||
| SUBJECT SCOPE ROLE SOURCE | ||
| User/[email protected] cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view | ||
| User/[email protected] nginx-ingress ClusterRole/edit RoleBinding/rob-edit | ||
| ``` | ||
|
|
||
| With a more generic query, we can see that a variety of users and service accounts can be returned, as long as they match the query. | ||
| ``` | ||
| rbac-lookup ro -owide | ||
| rbac-lookup ro --output wide | ||
| SUBJECT SCOPE ROLE SOURCE | ||
| User/[email protected] cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view | ||
|
|
@@ -48,12 +39,15 @@ User/[email protected] web ClusterRole/edit RoleBinding/ron- | |
| ServiceAccount/rops infra ClusterRole/admin RoleBinding/rops-admin | ||
| ``` | ||
|
|
||
| Of course a query is an optional parameter for rbac-lookup. You could simply run `rbac-lookup` to get a full picture of authorization in your cluster, and then pipe that output to something like grep for your own more advanced filtering. | ||
| It's also possible to filter output by the kind of RBAC Subject. The `--kind` or `-k` parameter accepts `user`, `group`, and `serviceaccount` as values. | ||
|
|
||
| ``` | ||
| rbac-lookup | grep rob | ||
| rbac-lookup ro --output wide --kind user | ||
| SUBJECT SCOPE ROLE SOURCE | ||
| User/[email protected] cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view | ||
| User/[email protected] nginx-ingress ClusterRole/edit RoleBinding/rob-edit | ||
| User/[email protected] web ClusterRole/edit RoleBinding/ron-edit | ||
| ``` | ||
|
|
||
| ### GKE IAM Integration | ||
|
|
@@ -73,7 +67,7 @@ [email protected] project-wide IAM/viewer | |
| Of course this GKE integration also supports wide output, in this case referencing the specific IAM roles that are assigned to a user. | ||
|
|
||
| ``` | ||
| rbac-lookup rob --gke -owide | ||
| rbac-lookup rob --gke --output wide | ||
| SUBJECT SCOPE ROLE SOURCE | ||
| User/[email protected] cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view | ||
|
|
@@ -84,6 +78,15 @@ User/[email protected] project-wide IAM/gcp-viewer IAMRole/viewer | |
|
|
||
| At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view [lookup/gke_roles.go](lookup/gke_roles.go). | ||
|
|
||
| ## Flags Supported | ||
| ``` | ||
| --context string context to use for Kubernetes config | ||
| --gke enable GKE integration | ||
| -h, --help help for rbac-lookup | ||
| -k, --kind string filter by this RBAC subject kind (user, group, serviceaccount) | ||
| -o, --output string output format (normal, wide) | ||
| ``` | ||
|
|
||
| ## RBAC Manager | ||
| While RBAC Lookup helps provide visibility into Kubernetes auth, RBAC Manager helps make auth simpler to manage. This is a Kubernetes operator that enables more concise RBAC configuration that is easier to scale and automate. For more information, see [RBAC Manager on GitHub](https://github.com/reactiveops/rbac-manager). | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters