{"id":17275819,"url":"https://github.com/viveksinghggits/akcess","last_synced_at":"2025-08-21T14:02:46.159Z","repository":{"id":36995147,"uuid":"466715140","full_name":"viveksinghggits/akcess","owner":"viveksinghggits","description":"Share fine-grained access to your Kubernetes cluster temporarily.","archived":false,"fork":false,"pushed_at":"2022-07-21T14:44:41.000Z","size":1048,"stargazers_count":65,"open_issues_count":7,"forks_count":6,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-18T14:05:14.721Z","etag":null,"topics":["go","golang","kubeconfig","kubernetes","rbac"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/viveksinghggits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-03-06T11:20:06.000Z","updated_at":"2024-12-27T00:17:57.000Z","dependencies_parsed_at":"2022-06-30T22:03:33.876Z","dependency_job_id":null,"html_url":"https://github.com/viveksinghggits/akcess","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/viveksinghggits%2Fakcess","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/viveksinghggits%2Fakcess/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/viveksinghggits%2Fakcess/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/viveksinghggits%2Fakcess/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/viveksinghggits","download_url":"https://codeload.github.com/viveksinghggits/akcess/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245003687,"owners_count":20545646,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","kubeconfig","kubernetes","rbac"],"created_at":"2024-10-15T08:57:16.614Z","updated_at":"2025-03-22T18:34:34.173Z","avatar_url":"https://github.com/viveksinghggits.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Akcess\n\n[![Go](https://github.com/viveksinghggits/akcess/actions/workflows/actions.yaml/badge.svg?branch=master)](https://github.com/viveksinghggits/akcess/actions/workflows/actions.yaml)\n\n`akcess` is a command-line utility that can be used to share very fine-grained access to your Kubernetes\ncluster with other teams.\n\n```\n» akcess --help\nCreate kubeconfig file with specified fine-grained authorization\n\nUsage:\n  akcess [flags]\n  akcess [command]\n\nAvailable Commands:\n  allow       Allow the access to the resources\n  completion  Generate the autocompletion script for the specified shell\n  delete      Delete the kubernetes resources that were made specific allow command\n  help        Help about any command\n  list        List the number of times we ran the allow command\n  version     Print the version of akcess\n\nFlags:\n  -h, --help   help for akcess\n\nUse \"akcess [command] --help\" for more information about a command.\n```\n\n## Demo\n\n\u003ccenter\u003e\u003cimg src=\"docs/video/akcess-demo-final.gif\"/\u003e\u003c/center\u003e\n\n\n## Use cases\n\nConsider a scenario where you are running an application in your Kubernetes cluster that is failing because\nof a certain reason and the other (dev) team is asking for permissions to see the logs of that application.\n\nIn most of the cases, you wouldn't give the `admin` access to your Kubernetes cluster, instead, you can use\n`akcess` to generate `kubeconfig` file that would allow other teams, for example, to just access logs of that\nparticular application (pod).\n\n```\n» akcess allow --verb get --resource pods,pods/log -n \u003cnamespace\u003e\n```\n\n### Specifying duration\n\nIf you are on Kubernetes cluster version 1.22 or greater than it, you can also specify how much time this access\nshould be allowed for using the below command\n\n```\n# value of --for is in minutes and can not be less than 10\n» akcess allow --verb get --resource pods,pods/log -n \u003cnamespace\u003e --for 10\n```\n\n## Installing `akcess`\n\n`akcess` is not available currently using OS package managers. You will have to install it by downloading the release\nfrom GitHub.\n\nGo to [releases page](https://github.com/viveksinghggits/akcess/releases) and download the appropriate binary\nfor your operating system and architecture, using either `curl` or `wget` commands. And move it to your\n`PATH`.\n\n### Linux\n\nYou can figure out the operating system details using the below command\n\n```\n» uname -a\nLinux vivek 5.13.0-30-generic #33~20.04.1-Ubuntu SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux\n```\n\n- Download, respective binary (artifacts) from releases, you can specify the expected value for the version var\n\n```\nexport VERSION=0.0.1\nwget https://github.com/viveksinghggits/akcess/releases/download/v${VERSION}/akcess_${VERSION}_Linux_x86_64.tar.gz\n```\n\n- Extract the downloaded `.tar.gz` file\n\n```\ntar xf akcess_0.0.1_Linux_x86_64.tar.gz\n```\n\n- Move the binary to `PATH`\n\n```\nmv akcess /usr/local/bin\n```\n\n## Examples\n\n- Allow access to get pods from `default` namespace\n\n```\n» akcess allow --verb list --resource pods\n```\n\n- Allow access to get pods from `default` namespace and username `test`\n\n```\n» akcess allow --verb list --resource pods --username test\n```\n\n- Allow access to see logs of pod with name `nginx` in `test` namespace\n\n```\n# log is sub resource for pod resource\n» akcess allow --verb get --resource pods,pods/log -n test --resource-name nginx\n```\n\n- Allow access to `exec` into pods of namespace `database`\n\n```\n» akcess allow  --verb get,create --resource pods,pods/exec -n database\n```\n\n- Allow access to see logs of pods that have label `component=database` set in namespace `backend`\n\n```\n# more than one labels can be comma separated\n» akcess allow  --verb get --resource pods,pods/log -l component=database -n backend\n```\n\n- Allow access to get the services that have label `component=database` set in namespace `backend`\n\n```\n» akcess allow  --verb get --resource services -l component=database -n backend\n```\n\nYou can also redirect the output of the above commands to a file, that can be set at `KUBECONFIG` env var.\n\n```\n» akcess allow --verb get --resource pods,pods/log -n test \u003e logsconfig\n» export KUBECONFIG=logsconfig\n```\n\n## How does it work\n\n`akcess` creates respective RBAC (Role, RoleBinding) and CSR resources using the resources and verbs that are\nspecified in the `akcess allow` command.\n\nWhenever we create a Kubernetes resource, we annotate it with a key `allow.akcess.id` and value to be a `UUID`.\nThe set of resources that have been created or the number of times `akcess allow` has been run can be figured\nout by running\n\n```\n» akcess list\n- id: ee022ab3-246f-4a6d-bd53-e04ae90cc1d9\n  createdAt: 2022-03-06T12:03:42.171995731+01:00\n  namespace: test\n- id: 818e4e6f-4be9-41a2-9f8b-de4247626d16\n  createdAt: 2022-03-06T12:12:17.884823402+01:00\n  namespace: default\n```\n\nTo delete `Kubernetes` resources for a specific run we can run\n\n```\n» akcess delete --id ee022ab3-246f-4a6d-bd53-e04ae90cc1d9\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fviveksinghggits%2Fakcess","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fviveksinghggits%2Fakcess","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fviveksinghggits%2Fakcess/lists"}