mhausenblas / Rbac.dev

A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.

For recipes, tips and tricks around RBAC see recipes.rbac.dev.

Official Kubernetes docs

• Authorization
• Using RBAC Authorization
• Controlling Access to the Kubernetes API
• Configure Service Accounts for Pods

Talks and articles

• Effective RBAC by Jordan Liggitt
• Configure RBAC In Your Kubernetes Cluster via Bitnami
• Using RBAC, Generally Available in Kubernetes v1.8 by Eric Chiang
• On defaults in Kubernetes RBAC by Michael Hausenblas
• Stop using admin credentials in kubectl by Balkrishna Pandey
• Testing Kubernetes RBAC by Tom Gallacher
• Demystifying RBAC in Kubernetes via CNCF and Bitnami (video)
• Configuring permissions in Kubernetes with RBAC via Containerum
• Kubernetes Authorization via Open Policy Agent by Stefan Büringer
• Configure RBAC in Kubernetes Like A Boss by Emre Savcı
• Securing Kubernetes Clusters by Eliminating Risky RBAC Permissions by Eviatar Gerzi
• Compromising Kubernetes Cluster by Exploiting RBAC Permissions by Eviatar Gerzi
• Permission manager : RBAC management for Kubernetes by Saiyam Pathak
• Inside Kubernetes RBAC by Dominik Tornow

Tooling

• cyberark/KubiScan: a tool by Eviatar Gerzi to scan Kubernetes cluster for risky RBAC permissions
• appvia/krane: a Kubernetes RBAC static analysis and visualisation tool
• alcideio/rbac-tool: Collection of Kubernetes RBAC power toys - Visualize, Generate & Query by Alcide

Generators and operators

• liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
• fairwindsops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.

Interactive queries

• corneliusweig/rakkess: show an access matrix for server resources.
• fairwindsops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
• sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
• Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
• aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
• mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.

Visualization

• jasonrichardsmith/rbac-view: visualizes RBAC permissions in tabular format in your browser.
• team-soteria/rback: generates a graph representation (in Graphviz dot format) of a Kubernetes cluster's RBAC settings.
• sighupio/permission-manager: super-easy and user-friendly RBAC management for Kubernetes. You can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice and easy web UI.