How to use the command rbac-lookup (with examples)

The rbac-lookup command is a tool that allows you to find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster. It provides an easy way to view RBAC bindings and can also show the source role binding and IAM roles if you are using GKE.

Use case 1: View all RBAC bindings

Code:

rbac-lookup

Motivation: This use case is useful when you want to get an overview of all the RBAC bindings in your Kubernetes cluster. It provides a quick way to see the roles and cluster roles assigned to users, service accounts, and groups.

Explanation: The rbac-lookup command without any arguments will display all RBAC bindings in your cluster.

Example output:

NAMESPACE    SUBJECT          KIND            ROLE                   SOURCE
default      default          user            system:serviceaccount   rolebinding/webhook-auth

Use case 2: View RBAC bindings that match a given expression

Code:

rbac-lookup search_term

Motivation: This use case is helpful when you want to find specific RBAC bindings that match a certain expression. It allows you to filter the results and narrow down the roles and cluster roles associated with a particular user, service account, or group.

Explanation: The search_term argument is used to specify the expression you want to search for in the RBAC bindings.

Example output:

NAMESPACE    SUBJECT          KIND            ROLE                   SOURCE
default      default          user            system:serviceaccount   rolebinding/webhook-auth

Use case 3: View all RBAC bindings along with the source role binding

Code:

rbac-lookup -o wide

Motivation: This use case is beneficial when you need to see the source role binding along with the RBAC bindings. It provides additional information about the origin of the roles and cluster roles assigned to users, service accounts, and groups.

Explanation: The -o wide option is used to display all RBAC bindings along with their source role binding.

Example output:

NAMESPACE    SUBJECT          KIND            ROLE                   SOURCE
default      default          user            system:serviceaccount   rolebinding/webhook-auth

Use case 4: View all RBAC bindings filtered by subject

Code:

rbac-lookup -k user|group|serviceaccount

Motivation: This use case is useful when you want to filter the RBAC bindings based on the subject type. It allows you to focus on the roles and cluster roles assigned to specific user, group, or service account entities.

Explanation: The -k user|group|serviceaccount options are used to filter the RBAC bindings by the subject type specified. You can choose to filter by user, group, or serviceaccount.

Example output:

NAMESPACE    SUBJECT          KIND            ROLE                   SOURCE
default      default          user            system:serviceaccount   rolebinding/webhook-auth

Use case 5: View all RBAC bindings along with IAM roles (if you are using GKE)

Code:

rbac-lookup --gke

Motivation: This use case is relevant for users who are working with Google Kubernetes Engine (GKE) and want to see RBAC bindings along with the IAM roles. It provides a complete picture of the role-based access control setup in GKE environments.

Explanation: The --gke option can be used to display all RBAC bindings along with the associated IAM roles if you are using GKE.

Example output:

NAMESPACE    SUBJECT          KIND            ROLE                   SOURCE
default      default          user            system:serviceaccount   rolebinding/webhook-auth

Conclusion:

The rbac-lookup command is a versatile tool for managing RBAC bindings in Kubernetes clusters. With its various options, you can easily view and filter the roles and cluster roles assigned to users, service accounts, and groups. Additionally, it provides information about the source role binding and IAM roles in GKE environments, making it a valuable tool for RBAC administration.