Usage

July 24, 2021 · View on GitHub

rakkess demo

If you installed via krew do

kubectl access-matrix

Options

  • --verbs show access for given verbs (valid verbs are create, get, list, watch, update, patch, delete, and deletecollection). It also accepts the shorthands * or all to enable all verbs.

  • --namespace show access rights for the given namespace. Also restricts the list to namespaced resources.

  • --verbosity set the log level (one of debug, info, warn, error, fatal, panic).

  • --sa like the --as option, but impersonate as a service-account. The service-account must either be qualified with its namespace (--sa <namespace>:<sa-name>) or be combined with the --namespace option. The following is equivalent:

    kubectl access-matrix --sa <sa-name> -n <namespace>
kubectl access-matrix --sa <namespace>:<sa-name> -n <namespace>

    Note: this is a shorthand for --as system:serviceaccount:<namespace>:<sa-name>.

  • --diff-with switches into diff mode and compares the access rights with the given modifications. The flag accepts arguments in the form flagname=flagvalue, where flagname is any valid access-matrix flag. Lines and verbs without diff are not displayed.

  • ✔ means that the modified settings have access for this resource and verb, whereas the original settings did not.
  • ✖ means that the modified settings have no access for this resource and verb, whereas the original settings did.

Examples

Show access to all resources

  • ... at cluster scope

    kubectl access-matrix

    This defaults to the verbs list, create, update, and delete because they are the most common ones.

  • ... in some namespace

    kubectl access-matrix --namespace default

  • ... with verbs

    kubectl access-matrix --verbs get,delete,watch,patch

  • ... for another user

    kubectl access-matrix --as other-user

  • ... for another service-account

    kubectl access-matrix --sa kube-system:namespace-controller

  • ... and combine with common kubectl parameters

    KUBECONFIG=otherconfig kubectl access-matrix --context other-context

Show diff for resource access

  • ... for a different service account

    kubectl access-matrix --diff-with sa=kube-system:namespace-controller

  • ... for a different context

    kubectl access-matrix --diff-with context=other

  • ... for a particular user in different namespaces

    kubectl access-matrix --as somebody -n default --diff-with n=kube-system

Note: --diff-with accepts flags in the form flagname=flagvalue (without leading --). All rakkess flags can be overridden.

Show subjects with access to a given resource

rakkess demo

  • ...globally in all namespaces (only considers ClusterRoleBindings)

    kubectl access-matrix resource configmaps
# or maybe you find the 'for' alias easier to read
kubectl access-matrix for configmaps

  • ...in a given namespace (considers RoleBindings and ClusterRoleBindings)

    kubectl access-matrix resource configmaps -n default

  • ...with shorthand notation

    kubectl access-matrix r cm   # same as kubectl access-matrix resource configmaps

  • .. with custom verbs

    kubectl access-matrix r cm --verbs get,delete,watch,patch
Name-restricted roles

Some roles only apply to resources with a specific name. To review such configurations, provide the resource name as additional argument. For example, show access rights for the ConfigMap called ingress-controller-leader-nginx in namespace ingress-nginx:

kubectl access-matrix r cm ingress-controller-leader-nginx -n ingress-nginx --verbs=all

As kubectl access-matrix resource needs to query Roles, ClusterRoles, and their bindings, it usually requires administrative cluster access.

Getting help

kubectl access-matrix help

Note that in the help, the tool is referred to as rakkess, which is the standard name when installed as stand-alone tool.

Completion

Completion does currently not work when used as a kubectl plugin. When used stand-alone, you can do

source <(rakkess completion bash) # for bash users
source <(rakkess completion zsh)  # for zsh users

Also see rakkess completion --help for further instructions.

Installation

Via krew

If you do not have krew installed, visit https://github.com/kubernetes-sigs/krew.

kubectl krew install access-matrix

As kubectl plugin

Most users will have installed rakkess via krew, so the plugin is already correctly installed. Otherwise, rename rakkess to kubectl-access_matrix and put it in some directory from your $PATH variable. Then you can invoke the plugin via kubectl access-matrix

Standalone

Put the rakkess binary in some directory from your $PATH variable. For example

sudo mv -i rakkess /usr/bin/rakkess

Then you can invoke the plugin via rakkess