Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/aquasecurity/kubectl-who-can

Show who has RBAC permissions to perform actions on different resources in Kubernetes
https://github.com/aquasecurity/kubectl-who-can

kubectl kubernetes kubernetes-rbac rbac

Last synced: 1 day ago
JSON representation

Show who has RBAC permissions to perform actions on different resources in Kubernetes

Host: GitHub
URL: https://github.com/aquasecurity/kubectl-who-can
Owner: aquasecurity
License: apache-2.0
Created: 2019-03-16T14:55:36.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2024-07-17T11:59:27.000Z (4 months ago)
Last Synced: 2024-08-02T06:12:41.135Z (3 months ago)
Topics: kubectl, kubernetes, kubernetes-rbac, rbac
Language: Go
Homepage:
Size: 404 KB
Stars: 817
Watchers: 17
Forks: 81
Open Issues: 13
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

awesome-kubectl-plugins - kubectl-who-can
awesome-repositories - aquasecurity/kubectl-who-can - Show who has RBAC permissions to perform actions on different resources in Kubernetes (Go)
awesome-cloud-security - Kubectl-who-can
awesome-k8s - kubectl-who-can
awesome-k8s-security - kubectl-who-can
awesome-kubernetes-security - kubectl-who-can - Show who has permissions to \<verb\> \<resource\> in Kubernetes (Open Source Projects)
awesome-cloud-native - kubectl-who-can - Show who has RBAC permissions to perform actions on different resources in Kubernetes. (Security)
awesome-starred - aquasecurity/kubectl-who-can - Show who has RBAC permissions to perform actions on different resources in Kubernetes (kubernetes)

README

        [![GitHub Release][release-img]][release]

[![GitHub Action][build-action-img]][build-action]

[![Coverage Status][cov-img]][cov]

[![Go Report Card][report-card-img]][report-card]

[![License][license-img]][license]

[![GitHub All Releases][github-all-releases-img]][release]

# kubectl-who-can

Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL] in Kubernetes.

[![asciicast][asciicast-img]][asciicast]

## Installation

There are several ways to install `kubectl-who-can`. The recommended installation is via the `kubectl` plugin manager

called [`krew`](https://github.com/kubernetes-sigs/krew).

### krew

I assume that you've already [installed](https://github.com/kubernetes-sigs/krew#installation) `krew`. Then run the following command:

```

kubectl krew install who-can

```

The plugin will be available as `kubectl who-can`.

### Manual

Download a [release distribution archive][release] for your operating system, extract it, and add the `kubectl-who-can`

executable to your `$PATH`. For example, to manually install `kubectl-who-can` on macOS run the following command:

```

VERSION=`git describe --abbrev=0`

mkdir -p /tmp/who-can/$VERSION && \

curl -L https://github.com/aquasecurity/kubectl-who-can/releases/download/$VERSION/kubectl-who-can_darwin_x86_64.tar.gz \

  | tar xz -C /tmp/who-can/$VERSION && \

sudo mv -i /tmp/who-can/$VERSION/kubectl-who-can /usr/local/bin

```

## Build from Source

This is a standard Go program. If you already know how to build

and install Go code, you probably won't need these instructions.

Note that while the code is small, it has some rather big

dependencies, and fetching + building these dependencies can

take a few minutes.

Option 1 (if you have a Go compiler and want to tweak the code):

```bash

# Clone this repository (or your fork)

git clone https://github.com/aquasecurity/kubectl-who-can

cd kubectl-who-can

make

```

The `kubectl-who-can` binary will be in the current directory.

Option 2 (if you have a Go compiler and just want the binary):

```

go install github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can@latest

```

The `kubectl-who-can` binary will be in `$GOPATH/bin`.

Option 3 (if you don't have a Go compiler, but have Docker installed):

```

docker run --rm -v /usr/local/bin:/go/bin golang:1.17 go install github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can@latest

```

The `kubectl-who-can` binary will be in `/usr/local/bin`.

## Usage

`$ kubectl who-can VERB (TYPE | TYPE/NAME | NONRESOURCEURL) [flags]`

### Flags

Name             | Shorthand | Default | Usage

-----------------|-----------|---------|----------------------------

namespace        | n         |         | If present, the namespace scope for this CLI request

all-namespaces   | A         | false   | If true, check for users that can do the specified action in any of the available namespaces

subresource      |           |         | Specify a sub-resource such as pod/log or deployment/scale

For additional details on flags and usage, run `kubectl who-can --help`.

[release-img]: https://img.shields.io/github/release/aquasecurity/kubectl-who-can.svg?logo=github

[release]: https://github.com/aquasecurity/kubectl-who-can/releases

[build-action-img]: https://github.com/aquasecurity/kubectl-who-can/workflows/build/badge.svg

[build-action]: https://github.com/aquasecurity/kubectl-who-can/actions

[cov-img]: https://codecov.io/github/aquasecurity/kubectl-who-can/branch/main/graph/badge.svg

[cov]: https://codecov.io/github/aquasecurity/kubectl-who-can

[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kubectl-who-can

[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kubectl-who-can

[license-img]: https://img.shields.io/github/license/aquasecurity/kubectl-who-can.svg

[license]: https://github.com/aquasecurity/kubectl-who-can/blob/main/LICENSE

[github-all-releases-img]: https://img.shields.io/github/downloads/aquasecurity/kubectl-who-can/total?logo=github

[asciicast-img]: https://asciinema.org/a/ccqqYwA5L5rMV9kd1tgzyZJ2j.svg

[asciicast]: https://asciinema.org/a/ccqqYwA5L5rMV9kd1tgzyZJ2j