How can I audit or examine RBAC Roles for different accounts within a Kubernetes cluster?

Question

Access to different resources within Kubernetes is handled by role-based access control (RBAC).

These resources are referenced by the resource name and API group, for example pods within the core/v1 Kubernetes API group or clusters within the management.cattle.io/v3 API group.

A role can be applied (or bound) to different subjects, like a user, group or service account via role bindings, to grant varying degress of access to these resource types at a cluster or namespace level. The access a role grants on a particular resource type is defined by verbs, e.g. get, create, list, watch, delete, and patch etc.

This article details methods by which you can audit or examine role-based access control (RBAC) roles for different accounts within a Kubernetes cluster.

Pre-requisites

• A Kubernetes cluster
• kubectl access to the cluster

Answer

To audit a specific account, the kubectl command can use the can-i option with the impersonation API to examine what verbs a user has access to, given a specific namespace.

Basic Usage

Basic usage of the kubectl can-i option takes the following form:

kubectl auth can-i <verb> <resource> --as account --namespace=<namespace> 

Can my user perform all verbs on all resources? Am I an admin?

kuboectl auth can-i "*" "*"

Can the helm serviceaccount delete pods in the current namespace or cluster-wide?

kubectl auth can-i delete pods --as helm 

Is user1234 an admin in the "testing" namespace? Can they perform all verbs on all resources?

kubectl auth can-i "*" "*" --namespace=testing --as user1234

List option gives insight into permissions for a user or account

kubectl auth can-i --list --namespace=testing --as user1234

Additional tools for querying RBAC

Other open-source third-party tools exist for auditing RBAC, many of which use the Krew plugin framework:

• access-matrix - output a CLI matrix of what users or roles have permissions
• rbac-lookup - perform lookups given subject queries
• who-can - see "who-can" perform a certain verb on a resource, like an opposite view of "can-i"

Third-party tools also exist for creating visualizations of the RBAC configuration:

• RBack - parse the output from the kubectl commands as json, import into visualization in different formats
• RBAC-view - visualizing RBAC relationships via a dashboard interface

Further Reading

• Offical Kubernetes RBAC documentation
• CNCF RBAC Blog post
• NCCGROUP Examples
• Krew Plugin Framework
• RBAC-View
• RBack
• who-can
• rakksess, acess-matrix plugin
• rbac-lookup