A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
For recipes, tips and tricks around RBAC see recipes.rbac.dev.
Official Kubernetes docs
Talks and articles
- cyberark/KubiScan: a tool by Eviatar Gerzi to scan Kubernetes cluster for risky RBAC permissions
- appvia/krane: a Kubernetes RBAC static analysis and visualisation tool
- alcideio/rbac-tool: Collection of Kubernetes RBAC power toys - Visualize, Generate & Query by Alcide
Generators and operators
- liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
- fairwindsops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.
- rond-authz/rond: Rönd is a lightweight container that distributes security policy enforcing throughout your application.
Interactive queries
- corneliusweig/rakkess: show an access matrix for server resources.
- fairwindsops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
- sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
- Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
- aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
- mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.
Visualization
- jasonrichardsmith/rbac-view: visualizes RBAC permissions in tabular format in your browser.
- team-soteria/rback: generates a graph representation (in Graphviz
dot
format) of a Kubernetes cluster’s RBAC settings.
- sighupio/permission-manager: super-easy and user-friendly RBAC management for Kubernetes. You can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice and easy web UI.