From 62764d9520c9c780e0a4b355e64762b756dbeae7 Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Fri, 1 Mar 2019 16:03:58 -0500 Subject: [PATCH] updating documentation --- README.md | 31 +++++++++++++++++-------------- cmd/root.go | 4 ++-- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 37df2f4..19f6eeb 100644 --- a/README.md +++ b/README.md @@ -27,19 +27,10 @@ rob@example.com cluster-wide ClusterRole/view rob@example.com nginx-ingress ClusterRole/edit ``` -The wide output option includes the kind of subject (user, service account, or group), along with the source role binding. +The wide output option includes the kind of subject along with the source role binding. ``` -rbac-lookup rob -owide - -SUBJECT SCOPE ROLE SOURCE -User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view -User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit -``` - -With a more generic query, we can see that a variety of users and service accounts can be returned, as long as they match the query. -``` -rbac-lookup ro -owide +rbac-lookup ro --output wide SUBJECT SCOPE ROLE SOURCE User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view @@ -48,12 +39,15 @@ User/ron@example.com web ClusterRole/edit RoleBinding/ron- ServiceAccount/rops infra ClusterRole/admin RoleBinding/rops-admin ``` -Of course a query is an optional parameter for rbac-lookup. You could simply run `rbac-lookup` to get a full picture of authorization in your cluster, and then pipe that output to something like grep for your own more advanced filtering. +It's also possible to filter output by the kind of RBAC Subject. The `--kind` or `-k` parameter accepts `user`, `group`, and `serviceaccount` as values. + ``` -rbac-lookup | grep rob +rbac-lookup ro --output wide --kind user +SUBJECT SCOPE ROLE SOURCE User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit +User/ron@example.com web ClusterRole/edit RoleBinding/ron-edit ``` ### GKE IAM Integration @@ -73,7 +67,7 @@ rob@example.com project-wide IAM/viewer Of course this GKE integration also supports wide output, in this case referencing the specific IAM roles that are assigned to a user. ``` -rbac-lookup rob --gke -owide +rbac-lookup rob --gke --output wide SUBJECT SCOPE ROLE SOURCE User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view @@ -84,6 +78,15 @@ User/rob@example.com project-wide IAM/gcp-viewer IAMRole/viewer At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view [lookup/gke_roles.go](lookup/gke_roles.go). +## Flags Supported +``` + --context string context to use for Kubernetes config + --gke enable GKE integration + -h, --help help for rbac-lookup + -k, --kind string filter by this RBAC subject kind (user, group, serviceaccount) + -o, --output string output format (normal, wide) +``` + ## RBAC Manager While RBAC Lookup helps provide visibility into Kubernetes auth, RBAC Manager helps make auth simpler to manage. This is a Kubernetes operator that enables more concise RBAC configuration that is easier to scale and automate. For more information, see [RBAC Manager on GitHub](https://github.com/reactiveops/rbac-manager). diff --git a/cmd/root.go b/cmd/root.go index 0645339..fa6ae9c 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -45,9 +45,9 @@ var rootCmd = &cobra.Command{ } func init() { - rootCmd.PersistentFlags().StringVarP(&outputFormat, "output", "o", "", "output format (normal,wide)") + rootCmd.PersistentFlags().StringVarP(&outputFormat, "output", "o", "", "output format (normal, wide)") rootCmd.PersistentFlags().StringVarP(&kubeContext, "context", "", "", "context to use for Kubernetes config") - rootCmd.PersistentFlags().StringVarP(&subjectKind, "kind", "k", "", "filter by this RBAC subject type") + rootCmd.PersistentFlags().StringVarP(&subjectKind, "kind", "k", "", "filter by this RBAC subject kind (user, group, serviceaccount)") rootCmd.PersistentFlags().BoolVar(&enableGke, "gke", false, "enable GKE integration") }