Skip to main contentKubernetes   Training

RBAC Tooling

Rakkess

Have you ever wondered what access rights you have on a provided kubernetes cluster? For single resources you can use kubectl auth can-i list deployments, but maybe you are looking for a complete overview? This is what rakkess is for. It lists access rights for the current user and all server resources.

You can get more details here.

  1. Install Rakkess for your platform

  2. Let’s examine the RBAC for the default Namespace:

    rakkess -n default

  3. And now the RBAC for the ServiceAccount that we have created earlier:

    rakkess --sa service-account-1 -n default

    We can see that the ServiceAccount has the rights to list Services and to create ConfigMaps. This corresponds to the api-role Role that we have defined earlier:

    ...
    - apiGroups: [""]
        resources: ["services"]
        verbs: ["get", "list"]
    - apiGroups: [""]
        resources: ["configmaps"]
        verbs: ["create"]
        ...

rbac-view

Polaris runs a variety of checks to ensure that Kubernetes pods and controllers are configured using best practices, helping you avoid problems in the future.

You can get more details here.

  1. Install rbac-view

    #Linux
    wget https://github.com/jasonrichardsmith/rbac-view/releases/download/v0.2.1/rbac-view.v0.2.1.linux.tar.gz
    tar xf rbac-view.v0.2.1.linux.tar.gz
    chmod +x ./bin/linux/rbac-view
    sudo mv -i ./bin/linux/rbac-view $GOPATH/bin/rbac-view
    

    

    #Mac
    wget https://github.com/jasonrichardsmith/rbac-view/releases/download/v0.2.1/rbac-view.v0.2.1.darwin.tar.gz

  2. Run the following in your Terminal:

    rbac-view 
    > INFO[0000] Getting K8s client                           
    > INFO[0000] serving RBAC View and http://localhost:8800

  3. Open the followin URL in your browser: http://localhost:8800

  4. Rbac-view will then run some initialization which may take some time.

```output
> INFO[0000] Getting K8s client                           
> INFO[0000] serving RBAC View and http://localhost:8800  
...
> INFO[0039] Building full matrix for json                
> INFO[0039] Building Matrix for Roles                    
> INFO[0039] Retrieving RoleBindings                      
> INFO[0039] Building Matrix for ClusterRoles             
> INFO[0039] Retrieving ClusterRoleBindings

  1. Enter cluster in the SearchRoles field and examine the cluster-admin Role. The * means that it has all access rights to all ressources with all verbs.

  2. Switch to the Roles tab and enter api-role in the SearchRoles field and examine it. We can see the access rights previously discussed, notably get and list rights to Services.

  3. When you click on the Subjects button you will get the list of Subjects for this Role. In this cas we can see the ServiceAccount service-account-1 that is a subject of the Role.

Edit this page on GitHub
Previous
Kubernetes Security: Service Accounts

      Built with ❤️ by Niklaus Hirt in 2023