How can I audit or examine RBAC Roles for different accounts within a Kubernetes cluster?

This document (000020138) is provided subject to the disclaimer at the end of this document.

Situation

Question

Access to different resources within Kubernetes is handled by role-based access control (RBAC).

These resources are referenced by the resource name and API group, for example pods within the core/v1 Kubernetes API group or clusters within the management.cattle.io/v3 API group.

A role can be applied (or bound) to different subjects, like a user, group or service account via role bindings, to grant varying degress of access to these resource types at a cluster or namespace level. The access a role grants on a particular resource type is defined by verbs, e.g. get, create, list, watch, delete, and patch etc.

This article details methods by which you can audit or examine role-based access control (RBAC) roles for different accounts within a Kubernetes cluster.

Pre-requisites

  • A Kubernetes cluster
  • kubectl access to the cluster

Answer

To audit a specific account, the kubectl command can use the can-i option with the impersonation API to examine what verbs a user has access to, given a specific namespace.

Basic Usage

Basic usage of the kubectl can-i option takes the following form:

kubectl auth can-i <verb> <resource> --as account --namespace=<namespace> 
Can my user perform all verbs on all resources? Am I an admin?
kuboectl auth can-i "*" "*"
Can the helm serviceaccount delete pods in the current namespace or cluster-wide?
kubectl auth can-i delete pods --as helm 
Is user1234 an admin in the "testing" namespace? Can they perform all verbs on all resources?
kubectl auth can-i "*" "*" --namespace=testing --as user1234
List option gives insight into permissions for a user or account
kubectl auth can-i --list --namespace=testing --as user1234
Additional tools for querying RBAC

Other open-source third-party tools exist for auditing RBAC, many of which use the Krew plugin framework:

  • access-matrix - output a CLI matrix of what users or roles have permissions
  • rbac-lookup - perform lookups given subject queries
  • who-can - see "who-can" perform a certain verb on a resource, like an opposite view of "can-i"

Third-party tools also exist for creating visualizations of the RBAC configuration:

  • RBack - parse the output from the kubectl commands as json, import into visualization in different formats
  • RBAC-view - visualizing RBAC relationships via a dashboard interface

Further Reading

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020138
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center