A site dedicated to collecting good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
Official Kubernetes docs
Talks and articles
Generators and operators
- liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
- reactiveops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.
- corneliusweig/rakkess: show an access matrix for server resources.
- reactiveops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
- sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
- Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
- aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
- mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.