Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/corneliusweig/rakkess
Review Access - kubectl plugin to show an access matrix for k8s server resources
https://github.com/corneliusweig/rakkess
authorization k8s kubectl kubectl-plugin kubectl-plugins kubernetes rbac rbac-management
Last synced: 4 days ago
JSON representation
Review Access - kubectl plugin to show an access matrix for k8s server resources
- Host: GitHub
- URL: https://github.com/corneliusweig/rakkess
- Owner: corneliusweig
- License: apache-2.0
- Created: 2019-02-22T11:28:24.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2023-04-05T05:00:24.000Z (over 1 year ago)
- Last Synced: 2024-11-21T15:54:21.474Z (21 days ago)
- Topics: authorization, k8s, kubectl, kubectl-plugin, kubectl-plugins, kubernetes, rbac, rbac-management
- Language: Go
- Homepage:
- Size: 531 KB
- Stars: 1,319
- Watchers: 13
- Forks: 56
- Open Issues: 14
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
- awesome-kubectl-plugins - rakkess - kubectl plugin to show an access matrix for k8s server resources | RBAC | (kubectl Plugins / Installing plugins via awesome-kubectl-plugins)
- awesome-repositories - corneliusweig/rakkess - Review Access - kubectl plugin to show an access matrix for k8s server resources (Go)
- awesome-list - rakkess - kubectl plugin to show an access matrix for k8s server resources | corneliusweig | 813 | (Go)
- awesome-k8s-security - rakkess
- awesome-k8s-resources - rakkess - kubectl plugin to show an access matrix for server resources (Tools and Libraries / Security and Compliance)
- awesome-kubernetes-security - rakkess - Review access matrix for Kubernetes server resources (Open Source Projects)
- awesome-cloud-native - rakkess - kubectl plugin to show an access matrix for k8s server resources. (Security)
- awesome-starred - corneliusweig/rakkess - Review Access - kubectl plugin to show an access matrix for k8s server resources (kubernetes)
README
# rakkess
[![Build Status](https://travis-ci.com/corneliusweig/rakkess.svg?branch=master)](https://travis-ci.com/corneliusweig/rakkess)
[![Code Coverage](https://codecov.io/gh/corneliusweig/rakkess/branch/master/graph/badge.svg)](https://codecov.io/gh/corneliusweig/rakkess)
[![Go Report Card](https://goreportcard.com/badge/corneliusweig/rakkess)](https://goreportcard.com/report/corneliusweig/rakkess)
[![LICENSE](https://img.shields.io/github/license/corneliusweig/rakkess.svg)](https://github.com/corneliusweig/rakkess/blob/master/LICENSE)
[![Releases](https://img.shields.io/github/release-pre/corneliusweig/rakkess.svg)](https://github.com/corneliusweig/rakkess/releases)Review Access - kubectl plugin to show an access matrix for server resources
## Intro
Have you ever wondered what access rights you have on a provided kubernetes cluster?
For single resources you can use `kubectl auth can-i list deployments`, but maybe you are looking for a complete overview?
This is what `rakkess` is for.
It lists access rights for the current user and all server resources, similar to `kubectl auth can-i --list`.It is also useful to find out who may interact with some server resource.
Check out the sub-command `rakkess resource` [below](#show-subjects-with-access-to-a-given-resource1).## Demo
![rakkess demo](doc/demo-user-smaller.png "rakkess --namespace default")## Examples
#### Show access for all resources
- ... at cluster scope
```bash
rakkess
```- ... in some namespace
```bash
rakkess --namespace default
```- ... with verbs
```bash
rakkess --verbs get,delete,watch,patch
```- ... for another user
```bash
rakkess --as other-user
```- ... for another service-account
```bash
rakkess --sa kube-system:namespace-controller
```- ... and combine with common `kubectl` parameters
```bash
KUBECONFIG=otherconfig rakkess --context other-context
```
#### Show subjects with access to a given resource[1](#credit-kubectl-who-can)
![rakkess demo](doc/demo-resource-smaller.png "rakkess resource configmaps --namespace default")
- ...globally in all namespaces (only considers `ClusterRoleBindings`)
```bash
rakkess resource configmaps
```
- ...in a given namespace (considers `RoleBindings` and `ClusterRoleBindings`)
```bash
rakkess resource configmaps -n default
```- ...with shorthand notation
```bash
rakkess r cm # same as rakkess resource configmaps
```- .. with custom verbs
```bash
rakkess r cm --verbs get,delete,watch,patch
```
##### Name-restricted roles
Some roles only apply to resources with a specific name.
To review such configurations, provide the resource name as additional argument.
For example, show access rights for the `ConfigMap` called `ingress-controller-leader-nginx` in namespace `ingress-nginx` (note the subtle difference for `nginx-ingress-serviceaccount` to the previous example):![rakkess demo](doc/demo-named-resource-smaller.png "rakkess resource configmap ingress-controller-leader-nginx --namespace ingress-nginx")
As `rakkess resource` needs to query `Roles`, `ClusterRoles`, and their bindings, it usually requires administrative cluster access.Also see [Usage](doc/USAGE.md).
## Installation
There are several ways to install `rakkess`. The recommended installation method is via `krew`.### Via krew
Krew is a `kubectl` plugin manager. If you have not yet installed `krew`, get it at
[https://github.com/kubernetes-sigs/krew](https://github.com/kubernetes-sigs/krew).
Then installation is as simple as
```bash
kubectl krew install access-matrix
```
The plugin will be available as `kubectl access-matrix`, see [doc/USAGE](doc/USAGE.md) for further details.### Binaries
When using the binaries for installation, also have a look at [doc/USAGE](doc/USAGE.md).#### Linux
```bash
curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-linux.tar.gz \
&& tar xf rakkess-amd64-linux.tar.gz rakkess-amd64-linux \
&& chmod +x rakkess-amd64-linux \
&& mv -i rakkess-amd64-linux $GOPATH/bin/rakkess
```#### OSX
```bash
curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-amd64-darwin.tar.gz \
&& tar xf rakkess-amd64-darwin.tar.gz rakkess-amd64-darwin \
&& chmod +x rakkess-amd64-darwin \
&& mv -i rakkess-amd64-darwin $GOPATH/bin/rakkess
```#### Windows
[https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-windows-amd64.zip](https://github.com/corneliusweig/rakkess/releases/download/v0.5.0/rakkess-windows-amd64.zip)### From source
#### Build on host
Requirements:
- go 1.16 or newer
- GNU make
- gitCompiling:
```bash
export PLATFORMS=$(go env GOOS)
make all # binaries will be placed in out/
```#### Build in docker
Requirements:
- dockerCompiling:
```bash
mkdir rakkess && chdir rakkess
curl -Lo Dockerfile https://raw.githubusercontent.com/corneliusweig/rakkess/master/Dockerfile
docker build . -t rakkess-builder
docker run --rm -v $PWD:/go/bin/ --env PLATFORMS=$(go env GOOS) rakkess
docker rmi rakkess-builder
```
Binaries will be placed in the current directory.## Users
| What are others saying about rakkess? |
| ---- |
| _“Well, that looks handy! `rakkess`, a kubectl plugin to show an access matrix for all available resources.”_ – [@mhausenblas](https://twitter.com/mhausenblas/status/1100673166303739905) |
| _“that's indeed pretty helpful. `rakkess --as system:serviceaccount:my-ns:my-sa -n my-ns` prints the access matrix of a service account in a namespace”_ – [@fakod](https://twitter.com/fakod/status/1100764745957658626) |
| _“THE BOMB. Love it.”_ – [@ralph_squillace](https://twitter.com/ralph_squillace/status/1100844255830896640) |
| _“This made my day. Well, not actually today but I definitively will use it a lot.”_ – [@Soukron](https://twitter.com/Soukron/status/1100690060129775617) |---
[1]: This mode was inspired by [kubectl-who-can](https://github.com/aquasecurity/kubectl-who-can)