How to use the command rbac-lookup (with examples)
The rbac-lookup
command is a tool that allows you to find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster. It provides an easy way to view RBAC bindings and can also show the source role binding and IAM roles if you are using GKE.
Use case 1: View all RBAC bindings
Code:
rbac-lookup
Motivation: This use case is useful when you want to get an overview of all the RBAC bindings in your Kubernetes cluster. It provides a quick way to see the roles and cluster roles assigned to users, service accounts, and groups.
Explanation: The rbac-lookup
command without any arguments will display all RBAC bindings in your cluster.
Example output:
NAMESPACE SUBJECT KIND ROLE SOURCE
default default user system:serviceaccount rolebinding/webhook-auth
Use case 2: View RBAC bindings that match a given expression
Code:
rbac-lookup search_term
Motivation: This use case is helpful when you want to find specific RBAC bindings that match a certain expression. It allows you to filter the results and narrow down the roles and cluster roles associated with a particular user, service account, or group.
Explanation: The search_term
argument is used to specify the expression you want to search for in the RBAC bindings.
Example output:
NAMESPACE SUBJECT KIND ROLE SOURCE
default default user system:serviceaccount rolebinding/webhook-auth
Use case 3: View all RBAC bindings along with the source role binding
Code:
rbac-lookup -o wide
Motivation: This use case is beneficial when you need to see the source role binding along with the RBAC bindings. It provides additional information about the origin of the roles and cluster roles assigned to users, service accounts, and groups.
Explanation: The -o wide
option is used to display all RBAC bindings along with their source role binding.
Example output:
NAMESPACE SUBJECT KIND ROLE SOURCE
default default user system:serviceaccount rolebinding/webhook-auth
Use case 4: View all RBAC bindings filtered by subject
Code:
rbac-lookup -k user|group|serviceaccount
Motivation: This use case is useful when you want to filter the RBAC bindings based on the subject type. It allows you to focus on the roles and cluster roles assigned to specific user, group, or service account entities.
Explanation: The -k user|group|serviceaccount
options are used to filter the RBAC bindings by the subject type specified. You can choose to filter by user
, group
, or serviceaccount
.
Example output:
NAMESPACE SUBJECT KIND ROLE SOURCE
default default user system:serviceaccount rolebinding/webhook-auth
Use case 5: View all RBAC bindings along with IAM roles (if you are using GKE)
Code:
rbac-lookup --gke
Motivation: This use case is relevant for users who are working with Google Kubernetes Engine (GKE) and want to see RBAC bindings along with the IAM roles. It provides a complete picture of the role-based access control setup in GKE environments.
Explanation: The --gke
option can be used to display all RBAC bindings along with the associated IAM roles if you are using GKE.
Example output:
NAMESPACE SUBJECT KIND ROLE SOURCE
default default user system:serviceaccount rolebinding/webhook-auth
Conclusion:
The rbac-lookup
command is a versatile tool for managing RBAC bindings in Kubernetes clusters. With its various options, you can easily view and filter the roles and cluster roles assigned to users, service accounts, and groups. Additionally, it provides information about the source role binding and IAM roles in GKE environments, making it a valuable tool for RBAC administration.