{"id":13644389,"url":"https://github.com/alcideio/rbac-tool","last_synced_at":"2025-05-14T22:09:10.206Z","repository":{"id":37823344,"uuid":"249234631","full_name":"alcideio/rbac-tool","owner":"alcideio","description":"Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate \u0026 Query","archived":false,"fork":false,"pushed_at":"2025-02-13T20:57:41.000Z","size":851,"stargazers_count":1008,"open_issues_count":10,"forks_count":71,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-15T00:43:50.058Z","etag":null,"topics":["access-control","acl","authorization","cluster","k8s-cluster","krew-plugin","kubectl","kubectl-plugin","kubernetes","kubernetes-api","kubernetes-rbac","least-privilege","permissions","podsecuritypolicies","rapid7","rbac","security","who-can","whoami"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/alcideio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-03-22T17:22:01.000Z","updated_at":"2025-04-08T22:45:01.000Z","dependencies_parsed_at":"2023-11-27T12:27:26.487Z","dependency_job_id":"ccd03e91-279a-45e3-9faf-288ac5f34e0b","html_url":"https://github.com/alcideio/rbac-tool","commit_stats":{"total_commits":110,"total_committers":16,"mean_commits":6.875,"dds":0.4818181818181818,"last_synced_commit":"a0b8c036b90b8ed31de9ff1fcef854312f52c418"},"previous_names":["alcideio/rbac-minimize"],"tags_count":55,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcideio%2Frbac-tool","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcideio%2Frbac-tool/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcideio%2Frbac-tool/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/alcideio%2Frbac-tool/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/alcideio","download_url":"https://codeload.github.com/alcideio/rbac-tool/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254235701,"owners_count":22036964,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","acl","authorization","cluster","k8s-cluster","krew-plugin","kubectl","kubectl-plugin","kubernetes","kubernetes-api","kubernetes-rbac","least-privilege","permissions","podsecuritypolicies","rapid7","rbac","security","who-can","whoami"],"created_at":"2024-08-02T01:02:02.603Z","updated_at":"2025-05-14T22:09:05.188Z","avatar_url":"https://github.com/alcideio.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"\n![release](https://img.shields.io/github/v/release/alcideio/rbac-tool?sort=semver)\n![Go Version](https://img.shields.io/github/go-mod/go-version/alcideio/rbac-tool)\n[![Build](https://github.com/alcideio/rbac-tool/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/alcideio/rbac-tool/actions/workflows/build.yml)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n![Tweet](https://img.shields.io/twitter/url?style=social\u0026url=https%3A%2F%2Fgithub.com%2Falcideio%2Frbac-tool)\n\n## \u003cimg src=\"https://www.rapid7.com/Areas/Docs/includes/img/r7-nav/Rapid7_logo-short.svg\" alt=\"insightCloudSec\" width=\"28\"/\u003e | insightCloudSec | RBAC Tool For Kubernetes\n\n## Kubernetes RBAC\n\nRole-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization.\nRBAC authorization uses the `rbac.authorization.k8s.io` API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API.\n\nPermissions are purely **additive** (there are **no “deny”** rules).\n\nA Role always sets permissions within a particular namespace ; when you create a Role, you have to specify the namespace it belongs in.\nClusterRole, by contrast, is a non-namespaced resource.\nClusterRoles have several uses. You can use a ClusterRole to:\n\n- define permissions on namespaced resources and be granted within individual namespace(s)\n- define permissions on namespaced resources and be granted across all namespaces\n- define permissions on cluster-scoped resources\n\nIf you want to define a role within a namespace, use a Role; if you want to define a role cluster-wide, use a ClusterRole.\n\n**rbac-tool** simplifies querying and creation RBAC policies.\n\n## Install\n\n#### Standalone\nDownload the latest from the [release](https://github.com/alcideio/rbac-tool/releases) page\n\n```shell script\ncurl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash\n```\n\n#### kubectl plugin // \u003cimg src=\"https://raw.githubusercontent.com/kubernetes-sigs/krew/master/assets/logo/horizontal/color/krew-horizontal-color.png\" alt=\"krew\" width=\"48\"/\u003e  \n\n```shell script\n$ kubectl krew install rbac-tool\n```\n\n# rbac-tool\n\nA collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity\n\n```shell script\nrbac-tool\n\nUsage:\n  rbac-tool [command]\n\nAvailable Commands:\n  analysis        Analyze RBAC permissions and highlight overly permissive principals, risky permissions, etc.\n  auditgen        Generate RBAC policy from Kubernetes audit events\n  bash-completion Generate bash completion. source \u003c(rbac-tool bash-completion)\n  generate        Generate Role or ClusterRole and reduce the use of wildcards\n  help            Help about any command\n  lookup          RBAC Lookup by subject (user/group/serviceaccount) name\n  policy-rules    RBAC List Policy Rules For subject (user/group/serviceaccount) name\n  show            Generate ClusterRole with all available permissions from the target cluster\n  version         Print rbac-tool version\n  visualize       A RBAC visualizer\n  who-can         Shows which subjects have RBAC permissions to perform an action\n  whoami          Shows the subject for the current context with which one authenticates with the cluster\n  \nFlags:\n  -h, --help      help for rbac-tool\n  -v, --v Level   number for the log level verbosity\n\nUse \"rbac-tool [command] --help\" for more information about a command.\n```\n\n- [The `rbac-tool viz` command](#rbac-tool-viz)\n- [The `rbac-tool analysis` command](#rbac-tool-analysis)\n- [The `rbac-tool lookup` command](#rbac-tool-lookup)\n- [The `rbac-tool who-can` command](#rbac-tool-who-can)\n- [The `rbac-tool policy-rules` command](#rbac-tool-policy-rules)\n- [The `rbac-tool auditgen` command](#rbac-tool-auditgen)\n- [The `rbac-tool gen` command](#rbac-tool-gen)\n- [The `rbac-tool show` command](#rbac-tool-show)\n- [The `rbac-tool whoami` command](#rbac-tool-whoami)\n- [Command Line Reference](#command-line-reference)\n- [Contributing](#contributing)\n\n\n# `rbac-tool viz`\n\nA Kubernetes RBAC visualizer that generate a graph as dot file format or in HTML format.\n\n\u003cimg src=\"img/rbac-viz-html-example.png\" alt=\"rbac-tool\" width=\"600\"/\u003e\n\nBy default 'rbac-tool viz' will connect to the local cluster (pointed by kubeconfig)\nCreate a RBAC graph of the actively running workload on all namespaces except kube-system\n\nSee run options on how to render specific namespaces, other clusters, etc.\n\n```shell script\n#Render Locally\nrbac-tool viz --outformat dot \u0026\u0026 cat rbac.dot | dot -Tpng \u003e rbac.png  \u0026\u0026 open rbac.png\n\n# Render Online\nhttps://dreampuf.github.io/GraphvizOnline\n```\n\nExamples:\n\n```shell script\n# Scan the cluster pointed by the kubeconfig context 'myctx'\nrbac-tool viz --cluster-context myctx\n```\n\n```shell script\n# Scan and create a PNG image from the graph\nrbac-tool viz --outformat dot --exclude-namespaces=soemns \u0026\u0026 cat rbac.dot | dot -Tpng \u003e rbac.png \u0026\u0026 google-chrome rbac.png\n```\n\n\n# `rbac-tool show`\n\nGenerate sample ClusterRole with all available permissions from the target cluster.\n\nrbac-tool read from the Kubernetes discovery API the available API Groups and resources,\nand based on the command line options, generate an explicit ClusterRole with available resource permissions.\nExamples:\n\n```shell script\n# Generate a ClusterRole with all the available permissions for core and apps api groups\nrbac-tool show  --for-groups=,apps\n```\n\n\n# `rbac-tool analysis`\n\nAnalyze RBAC permissions and highlight overly permissive principals, risky permissions.\nThe command allows to use a custom analysis rule set, as well as the ability to define custom exceptions (global and per-rule).\n\nThe default rule set can be found [here](pkg/analysis/default-rules.yaml)\n\nExamples:\n\n```shell script\n# Analyze the cluster pointed by the kubeconfig context 'myctx' with the internal analysis rule set\nrbac-tool analysis --cluster-context myctx\n```\n\n```shell script\n# Analyze the cluster pointed by kubeconfig with the the provided analysis rule set\nrbac-tool analysis --config myruleset.yaml\n```\n\n\n# `rbac-tool lookup`\nLookup of the Roles/ClusterRoles used attached to User/ServiceAccount/Group with or without [regex](https://regex101.com/)\n\n\nExamples:\n\n```shell script\n# Search All Service Accounts\nrbac-tool lookup\n```\n\n```shell script\n# Search Service Accounts that match myname exactly\nrbac-tool lookup myname\n```\n\n```shell script\n# Search All Service Accounts that contain myname\nrbac-tool lookup -e '.*myname.*'\n```\n\n```shell script\n# Lookup System Accounts (all accounts that start with system: )\nrbac-tool lookup -e '^system:'\n  SUBJECT                                         | SUBJECT TYPE | SCOPE       | NAMESPACE   | ROLE                                                                 | BINDING\n+-------------------------------------------------+--------------+-------------+-------------+----------------------------------------------------------------------+---------------------------------------------------+\n  system:anonymous                                | User         | Role        | kube-public | kubeadm:bootstrap-signer-clusterinfo                                 | kubeadm:bootstrap-signer-clusterinfo\n  system:authenticated                            | Group        | ClusterRole |             | system:basic-user                                                    | system:basic-user\n  system:authenticated                            | Group        | ClusterRole |             | system:public-info-viewer                                            | system:public-info-viewer\n  system:authenticated                            | Group        | ClusterRole |             | system:discovery                                                     | system:discovery\n  system:bootstrappers:kubeadm:default-node-token | Group        | ClusterRole |             | kubeadm:get-nodes                                                    | kubeadm:get-nodes\n  system:bootstrappers:kubeadm:default-node-token | Group        | ClusterRole |             | system:node-bootstrapper                                             | kubeadm:kubelet-bootstrap\n  system:bootstrappers:kubeadm:default-node-token | Group        | ClusterRole |             | system:certificates.k8s.io:certificatesigningrequests:nodeclient     | kubeadm:node-autoapprove-bootstrap\n  system:bootstrappers:kubeadm:default-node-token | Group        | Role        | kube-system | kube-proxy                                                           | kube-proxy\n  system:bootstrappers:kubeadm:default-node-token | Group        | Role        | kube-system | kubeadm:nodes-kubeadm-config                                         | kubeadm:nodes-kubeadm-config\n  system:bootstrappers:kubeadm:default-node-token | Group        | Role        | kube-system | kubeadm:kubelet-config                                               | kubeadm:kubelet-config\n  system:kube-controller-manager                  | User         | ClusterRole |             | system:kube-controller-manager                                       | system:kube-controller-manager\n...\n```\n\n# `rbac-tool who-can`\n\nShows which subjects have RBAC permissions to perform an action denoted by VERB on an object denoted as ( KIND | KIND/NAME | NON-RESOURCE-URL)\n\n* VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc.\n* KIND is a Kubernetes resource kind. Shortcuts and API groups will be resolved, e.g. 'po' or 'deploy'.\n* NAME is the name of a particular Kubernetes resource.\n* NON-RESOURCE-URL is a partial URL that starts with \"/\".\n\nExamples:\n\n```shell script\n# Who can read ConfigMap resources\nrbac-tool who-can get cm\n\n# Who can watch Deployments\nrbac-tool who-can watch deployments.apps\n\n# Who can read the Kubernetes API endpoint /apis\nrbac-tool who-can get /apis\n\n# Who can read a secret resource by the name some-secret\nrbac-tool who-can get secret/some-secret\n```\n\n# `rbac-tool policy-rules`\nList Kubernetes RBAC policy rules for a given User/ServiceAccount/Group with or without [regex](https://regex101.com/)\n\n\nExamples:\n\n```shell script\n# List policy rules for system unauthenicated group\nrbac-tool policy-rules -e '^system:unauth'\n```\n\nOutput:\n\n```shell script\n  TYPE  | SUBJECT                | VERBS | NAMESPACE | API GROUP | KIND | NAMES | NONRESOURCEURI                              \n+-------+------------------------+-------+-----------+-----------+------+-------+--------------------------------------------+\n  Group | system:unauthenticated | get   | *         | -         | -    | -     | /healthz,/livez,/readyz,/version,/version/  \n\n```\n\n\u003e Leveraging JMESPath to filter and transform RBAC Policy rules.\n\u003e\n\u003e  For example: *Who Can Read Secrets*\n\u003e```shell script\n\u003e rbac-tool policy-rules -o json  | jp \"[? @.allowedTo[? (verb=='get' || verb=='*') \u0026\u0026 (apiGroup=='core' || apiGroup=='*') \u0026\u0026 (resource=='secrets' || resource == '*')  ]].{name: name, namespace: namespace, kind: kind}\"\n\u003e```\n\u003e\n\u003e See [https://jmespath.org/](https://jmespath.org/)\n\u003e\n\n# `rbac-tool auditgen`\n\nGenerate RBAC policy from Kubernetes audit events.\nAudit source format can be:\n- Kubernetes List Object that contains Audit Events\n- Newline seperated Audit Event objects\nAudit source can be file, directory or http URL.\n\n```shell script\nrbac-tool auditgen -f audit.log\n```\n\n\u003e This command is based on [this](https://github.com/liggitt/audit2rbac) prior work.\n\n# `rbac-tool gen`\n\nExamples would be simplest way to describe how `rbac-tool gen` can help:\n*  Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*\n*  Generate a `Role` policy that allows create,update,get,list  (read/write) everything **except** *secrets*, *services*, *ingresses*, *networkpolicies*\n*  Generate a `Role` policy that allows create,update,get,list  (read/write) everything **except** *statefulsets*\n\n`rbac-tool` generate RBAC `Role` or RBAC `ClusterRole` resource while reducing the use of wildcards, and support **deny** semantics for specific Kubernetes clusters.\n\n# `rbac-tool whoami`\n\nShows the subject for the current context with which one authenticates with the cluster.\n\nExamples:\n\n```shell script\nrbac-tool whoami --cluster-context myctx\n```\n\n### How `rbac-tool gen` works?\n\n`rbac-tool` reads from the Kubernetes discovery API the available API Groups and resources, which represents the \"world\" of resources.\nBased on the command line options, generate an explicit Role/ClusterRole that avoid wildcards by expanding wildcards to the available \"world\" resources.\n\n###  Command Line Examples\n\nExamples generated against Kubernetes cluster v1.16 deployed using KIND. \n\n\u003e Generate a `ClusterRole` policy that allows to read everything **except** *secrets* and *services*\n```bash\nrbac-tool  gen  --deny-resources=secrets.,services. --allowed-verbs=get,list\n```\n\n\u003e  Generate a `Role` policy that allows create,update,get,list (read/write) everything **except** *secrets*, *services*, *networkpolicies* in *core*,*apps* \u0026 *networking.k8s.io* API groups\n```bash\nrbac-tool  gen --generated-type=Role --deny-resources=secrets.,services.,networkpolicies.networking.k8s.io --allowed-verbs=* --allowed-groups=,extensions,apps,networking.k8s.io\n```\n\n\u003e Generate a `Role` policy that allows create,update,get,list  (read/write) everything **except** *statefulsets*\n```bash\nrbac-tool  gen --generated-type=Role --deny-resources=apps.statefulsets --allowed-verbs=* \n```\n\n\n### Example Output\n\n\u003e  Generate a `Role` policy that allows create,update,get,list (read/write) everything **except** *secrets*, *services*, *networkpolicies* in *core*,*apps* \u0026 *networking.k8s.io* API groups\n```bash\nrbac-tool  gen --generated-type=Role --deny-resources=secrets.,services.,networkpolicies.networking.k8s.io --allowed-verbs=* --allowed-groups=,extensions,apps,networking.k8s.io\n```\n\n```yaml\napiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n  creationTimestamp: null\n  name: custom-role\n  namespace: mynamespace\nrules:\n- apiGroups:\n  - \"\"\n  resources:\n  - events\n  - componentstatuses\n  - podtemplates\n  - namespaces\n  - replicationcontrollers\n  - persistentvolumes\n  - configmaps\n  - persistentvolumeclaims\n  - resourcequotas\n  - limitranges\n  - nodes\n  - bindings\n  - serviceaccounts\n  - pods\n  - endpoints\n  verbs:\n  - '*'\n- apiGroups:\n  - extensions\n  resources:\n  - ingresses\n  verbs:\n  - '*'\n- apiGroups:\n  - apps\n  resources:\n  - replicasets\n  - daemonsets\n  - deployments\n  - controllerrevisions\n  - statefulsets\n  verbs:\n  - '*'\n- apiGroups:\n  - networking.k8s.io\n  resources:\n  - ingresses\n  verbs:\n  - '*'\n```\n\n## Command Line Reference\n\n```bash\nGenerate Role or ClusterRole resource while reducing the use of wildcards.\n\nrbac-tool read from the Kubernetes discovery API the available API Groups and resources, \nand based on the command line options, generate an explicit Role/ClusterRole that avoid wildcards\n\nExamples:\n\n# Generate a Role with read-only (get,list) excluding secrets (core group) and ingresses (extensions group) \nrbac-tool gen --generated-type=Role --deny-resources=secrets.,ingresses.extensions --allowed-verbs=get,list\n\n# Generate a Role with read-only (get,list) excluding secrets (core group) from core group, admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io\nrbac-tool gen --generated-type=ClusterRole --deny-resources=secrets., --allowed-verbs=get,list  --allowed-groups=,admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io\n\nUsage:\n  rbac-tool generate [flags]\n\nAliases:\n  generate, gen\n\nFlags:\n      --allowed-groups strings   Comma separated list of API groups we would like to allow '*' (default [*])\n      --allowed-verbs strings    Comma separated list of verbs to include. To include all use '* (default [*])\n  -c, --cluster-context string   Cluster.use 'kubectl config get-contexts' to list available contexts\n      --deny-resources strings   Comma separated list of resource.group\n  -t, --generated-type string    Role or ClusteRole (default \"ClusterRole\")\n  -h, --help                     help for generate\n```\n\n## Contributing\n\n### Bugs\n\nIf you think you have found a bug please follow the instructions below.\n\n- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate.\n- Open a [new issue](https://github.com/alcideio/rbac-tool/issues/new) if a duplicate doesn't already exist.\n\n### Features\n\nIf you have an idea to enhance rbac-tool follow the steps below.\n\n- Open a [new issue](https://github.com/alcideio/rbac-tool/issues/new).\n- Remember users might be searching for your issue in the future, so please give it a meaningful title to helps others.\n- Clearly define the use case, using concrete examples.\n- Feel free to include any technical design for your feature.\n\n### Pull Requests\n\n- Your PR is more likely to be accepted if it focuses on just one change.\n- Please include a comment with the results before and after your change. \n- Your PR is more likely to be accepted if it includes tests. \n- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach.\n\n\n[![Stargazers over time](https://starchart.cc/alcideio/rbac-tool.svg)](https://starchart.cc/alcideio/rbac-tool)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falcideio%2Frbac-tool","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falcideio%2Frbac-tool","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falcideio%2Frbac-tool/lists"}