{"id":13765161,"url":"https://github.com/team-soteria/rback","last_synced_at":"2025-05-10T20:31:42.866Z","repository":{"id":55381612,"uuid":"188560726","full_name":"team-soteria/rback","owner":"team-soteria","description":"RBAC in Kubernetes visualizer ","archived":false,"fork":false,"pushed_at":"2021-01-04T12:59:14.000Z","size":2299,"stargazers_count":400,"open_issues_count":8,"forks_count":38,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-17T01:32:41.560Z","etag":null,"topics":["graphviz","kubernetes","rbac","visualization"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/team-soteria.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-05-25T11:57:52.000Z","updated_at":"2024-11-07T04:32:00.000Z","dependencies_parsed_at":"2022-08-14T23:00:55.612Z","dependency_job_id":null,"html_url":"https://github.com/team-soteria/rback","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/team-soteria%2Frback","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/team-soteria%2Frback/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/team-soteria%2Frback/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/team-soteria%2Frback/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/team-soteria","download_url":"https://codeload.github.com/team-soteria/rback/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253480517,"owners_count":21915249,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["graphviz","kubernetes","rbac","visualization"],"created_at":"2024-08-03T16:00:34.841Z","updated_at":"2025-05-10T20:31:37.850Z","avatar_url":"https://github.com/team-soteria.png","language":"Go","funding_links":[],"categories":["Security","Security \u0026 Compliance","Open Source Projects","Tools"],"sub_categories":["Kubernetes"],"readme":"# rback\n\nA simple \"RBAC in Kubernetes\" visualizer. No matter how complex the setup, `rback` queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in [dot](https://www.graphviz.org/doc/info/lang.html) format.\n\nFor example, here is an Amazon EKS cluster as seen by `rback`:\n\n![EKS cluster](examples/eks.dot.png)\n\nAnother example would be a local K3S cluster:\n\n![K3S cluster](examples/k3s.dot.png)\n\nHere in action in the [Katacoda Kubernetes playground](https://www.katacoda.com/courses/kubernetes/playground):\n\n![Katacoda](examples/katacoda.dot.png)\n\nSee for more details the [examples/](examples/) directory …\n\n## Install\n\n`rback` depends on you having access to a Kubernetes cluster, either in the cloud (like Amazon EKS)\nor locally (k3s, kind, Minikube, Docker for Desktop) as well as  `kubectl` installed and configured, locally.\n\n\nTo install it for macOS, do:\n\n```sh\n$ curl -sL https://github.com/team-soteria/rback/releases/download/v0.4.0/macos_rback -o rback\n$ chmod +x rback \u0026\u0026 sudo mv rback /usr/local/bin\n```\n\nTo install it for Linux, do:\n\n```sh\n$ curl -sL https://github.com/team-soteria/rback/releases/download/v0.4.0/linux_rback -o rback\n$ chmod +x rback \u0026\u0026 sudo mv rback /usr/local/bin\n```\n\n\nYou can also build it from source, with Go 1.12 like so:\n\n```sh\n$ git clone https://github.com/team-soteria/rback.git \u0026\u0026 cd rback\n$ go build\n```\n\n## Using rback directly\n\nRun `rback` locally against the target cluster and store its output in a `.dot` file like shown in the following:\n\n```sh\n$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback \u003e result.dot\n```\n\nNow that you have `result.dot`, you can render the graph either online or locally.\n\n### Render online\n\nThere are plenty of Graphviz (`dot`) online visualization tools available, for example, use [magjac.com/graphviz-visual-editor/](http://magjac.com/graphviz-visual-editor/) for interaction or the simpler [dreampuf.github.io/GraphvizOnline](https://dreampuf.github.io/GraphvizOnline/). Head over there and paste the output of `rback` into it.\n\n### Render locally\n\nInstall [Graphviz](https://www.graphviz.org/), for example, on macOS you can do `brew install graphviz`. Then you can do the following (on macOS):\n\n```sh\n$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback | dot -Tpng  \u003e /tmp/rback.png \u0026\u0026 open /tmp/rback.png\n```\n\n\n## Using rback as a kubectl plugin\n\nThere is also a very crude first version of a kubectl plugin in https://github.com/team-soteria/rback/blob/master/kubectl-plugin/kubectl-rback. Add the file to your path, ensure it is executable and modify it to suit your environment. Then, you'll be able to simply run:\n```sh\n$ kubectl rback\n```\nThis will generate the `.dot` file, render it using GraphViz (must be installed on your system) and open the rendered image using `xgd-open`. \n\nWe welcome contributions to make the plugin work in other environments.\n\n## More usage examples\n\nBy default, `rback` shows all RBAC resources in your cluster, but you can also focus on a single namespace by using the `-n` switch. The switch supports multiple namespaces as well:\n```sh\n$ kubectl rback -n my-namespace\n$ kubectl rback -n my-namespace1,my-namespace2\n```\n\nIf you're particularly interested in a single `ServiceAccount`, you can run:\n```sh\n$ kubectl rback serviceaccount my-service-account\nor\n$ kubectl rback sa my-service-account\n```\nThis makes the specified `ServiceAccount` the focal point of the graph, meaning that only it and directly-related RBAC resources are shown. \n\nInstead of `ServiceAccounts`, you can also focus on `Roles`, `RoleBindings`, `ClusterRoles` or `ClusterRoleBindings`:\n```sh\n$ kubectl rback role my-role\n$ kubectl rback clusterrole my-cluster-role\n$ kubectl rback rolebinding my-role-binding\n$ kubectl rback clusterrolebinding my-cluster-role-binding\n```\nYou can also use the abbreviated form:\n```sh\n$ kubectl rback r my-role\n$ kubectl rback cr my-cluster-role\n$ kubectl rback rb my-role-binding\n$ kubectl rback crb my-cluster-role-binding\n```\n\nIf you'd like to inspect more than one resource, you can specify multiple resource names:\n```sh\n$ kubectl rback r my-role1 my-role2\n```\n\nIn addition to focusing on a specific resource, `rback` can also show you who can perform a particular action. For example, if you'd like to see who can create pods, run:\n```sh\n$ kubectl rback who-can create pods\n```\nThis renders the matched `(Cluster)Roles`, all directly-related `(Cluster)RoleBindings` and subjects (`ServiceAccounts`, `Users` and `Groups`). The matched access rule will be shown in bold font. \n\nWhether using `who-can` or not, you can turn off the rendering of the (possibly long) list of access rules with:\n```sh\n$ kubectl rback --show-rules=false\n```\n\nWhen using `who-can`, you can also tell `rback` to only show matched rules instead of hiding rules completely:\n```sh\n$ kubectl rback --show-matched-rules-only who-can create pods\n```\n\n## How it works\n\nTo follow the \"Do One Thing And Do It Well\" Unix philosophy, `rback` does not call out to `kubectl` to read RBAC resources (although initial versions did do that) and does not actually render the image. All it does is parse a list of RBAC resources passed in through `stdin`, and then prints out a GraphViz `.dot` file to `stdout` using the [github.com/emicklei/dot](https://github.com/emicklei/dot) package.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteam-soteria%2Frback","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fteam-soteria%2Frback","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fteam-soteria%2Frback/lists"}