Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/team-soteria/rback
RBAC in Kubernetes visualizer
https://github.com/team-soteria/rback
graphviz kubernetes rbac visualization
Last synced: 2 months ago
JSON representation
RBAC in Kubernetes visualizer
- Host: GitHub
- URL: https://github.com/team-soteria/rback
- Owner: team-soteria
- License: apache-2.0
- Created: 2019-05-25T11:57:52.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2021-01-04T12:59:14.000Z (about 4 years ago)
- Last Synced: 2024-08-03T16:08:42.863Z (6 months ago)
- Topics: graphviz, kubernetes, rbac, visualization
- Language: Go
- Homepage:
- Size: 2.19 MB
- Stars: 396
- Watchers: 12
- Forks: 38
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-kubernetes-security - rback - RBAC in Kubernetes visualizer (Open Source Projects)
- awesome-cloud-native - rback - RBAC in Kubernetes visualizer. (Security)
README
# rback
A simple "RBAC in Kubernetes" visualizer. No matter how complex the setup, `rback` queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in [dot](https://www.graphviz.org/doc/info/lang.html) format.
For example, here is an Amazon EKS cluster as seen by `rback`:
![EKS cluster](examples/eks.dot.png)
Another example would be a local K3S cluster:
![K3S cluster](examples/k3s.dot.png)
Here in action in the [Katacoda Kubernetes playground](https://www.katacoda.com/courses/kubernetes/playground):
![Katacoda](examples/katacoda.dot.png)
See for more details the [examples/](examples/) directory …
## Install
`rback` depends on you having access to a Kubernetes cluster, either in the cloud (like Amazon EKS)
or locally (k3s, kind, Minikube, Docker for Desktop) as well as `kubectl` installed and configured, locally.To install it for macOS, do:
```sh
$ curl -sL https://github.com/team-soteria/rback/releases/download/v0.4.0/macos_rback -o rback
$ chmod +x rback && sudo mv rback /usr/local/bin
```To install it for Linux, do:
```sh
$ curl -sL https://github.com/team-soteria/rback/releases/download/v0.4.0/linux_rback -o rback
$ chmod +x rback && sudo mv rback /usr/local/bin
```You can also build it from source, with Go 1.12 like so:
```sh
$ git clone https://github.com/team-soteria/rback.git && cd rback
$ go build
```## Using rback directly
Run `rback` locally against the target cluster and store its output in a `.dot` file like shown in the following:
```sh
$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback > result.dot
```Now that you have `result.dot`, you can render the graph either online or locally.
### Render online
There are plenty of Graphviz (`dot`) online visualization tools available, for example, use [magjac.com/graphviz-visual-editor/](http://magjac.com/graphviz-visual-editor/) for interaction or the simpler [dreampuf.github.io/GraphvizOnline](https://dreampuf.github.io/GraphvizOnline/). Head over there and paste the output of `rback` into it.
### Render locally
Install [Graphviz](https://www.graphviz.org/), for example, on macOS you can do `brew install graphviz`. Then you can do the following (on macOS):
```sh
$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback | dot -Tpng > /tmp/rback.png && open /tmp/rback.png
```## Using rback as a kubectl plugin
There is also a very crude first version of a kubectl plugin in https://github.com/team-soteria/rback/blob/master/kubectl-plugin/kubectl-rback. Add the file to your path, ensure it is executable and modify it to suit your environment. Then, you'll be able to simply run:
```sh
$ kubectl rback
```
This will generate the `.dot` file, render it using GraphViz (must be installed on your system) and open the rendered image using `xgd-open`.We welcome contributions to make the plugin work in other environments.
## More usage examples
By default, `rback` shows all RBAC resources in your cluster, but you can also focus on a single namespace by using the `-n` switch. The switch supports multiple namespaces as well:
```sh
$ kubectl rback -n my-namespace
$ kubectl rback -n my-namespace1,my-namespace2
```If you're particularly interested in a single `ServiceAccount`, you can run:
```sh
$ kubectl rback serviceaccount my-service-account
or
$ kubectl rback sa my-service-account
```
This makes the specified `ServiceAccount` the focal point of the graph, meaning that only it and directly-related RBAC resources are shown.Instead of `ServiceAccounts`, you can also focus on `Roles`, `RoleBindings`, `ClusterRoles` or `ClusterRoleBindings`:
```sh
$ kubectl rback role my-role
$ kubectl rback clusterrole my-cluster-role
$ kubectl rback rolebinding my-role-binding
$ kubectl rback clusterrolebinding my-cluster-role-binding
```
You can also use the abbreviated form:
```sh
$ kubectl rback r my-role
$ kubectl rback cr my-cluster-role
$ kubectl rback rb my-role-binding
$ kubectl rback crb my-cluster-role-binding
```If you'd like to inspect more than one resource, you can specify multiple resource names:
```sh
$ kubectl rback r my-role1 my-role2
```In addition to focusing on a specific resource, `rback` can also show you who can perform a particular action. For example, if you'd like to see who can create pods, run:
```sh
$ kubectl rback who-can create pods
```
This renders the matched `(Cluster)Roles`, all directly-related `(Cluster)RoleBindings` and subjects (`ServiceAccounts`, `Users` and `Groups`). The matched access rule will be shown in bold font.Whether using `who-can` or not, you can turn off the rendering of the (possibly long) list of access rules with:
```sh
$ kubectl rback --show-rules=false
```When using `who-can`, you can also tell `rback` to only show matched rules instead of hiding rules completely:
```sh
$ kubectl rback --show-matched-rules-only who-can create pods
```## How it works
To follow the "Do One Thing And Do It Well" Unix philosophy, `rback` does not call out to `kubectl` to read RBAC resources (although initial versions did do that) and does not actually render the image. All it does is parse a list of RBAC resources passed in through `stdin`, and then prints out a GraphViz `.dot` file to `stdout` using the [github.com/emicklei/dot](https://github.com/emicklei/dot) package.