A kubectl plugin to display permissions from a service account
make build
make install
kubectl krew update
kubectl krew install permissions
curl -LO https://github.com/garethjevans/kubectl-permissions/releases/download/v0.0.4/kubectl-permissions_v0.0.4_darwin_amd64.tar.gz && \
tar -zxvf kubectl-permissions_v0.0.4_darwin_amd64.tar.gz && \
sudo mv kubectl-permissions /usr/local/bin
Based on the roles configured in the example-rbac.yaml:
❯ kubectl permissions sa-under-test -n test-namespace
ServiceAccount/sa-under-test (test-namespace)
├ ClusterRoleBinding/cluster-roles
│ └ ClusterRole/cluster-level-role
│ ├ apps
│ │ ├ deployments verbs=[get watch list] ✔
│ │ └ replicasets verbs=[get watch list] ✔
│ ├ core.k8s.io
│ │ ├ configmaps verbs=[get watch list] ✔
│ │ ├ pods verbs=[get watch list] ✔
│ │ ├ pods/log verbs=[get] ✔
│ │ └ services verbs=[get watch list] ✔
│ └ networking.k8s.io
│ └ ingresses verbs=[get] ✔
└ RoleBinding/namespaced-roles (test-namespace)
└ Role/namespaced-role (test-namespace)
├ kpack.io
│ ├ builds verbs=[get watch list] ✔
│ └ images verbs=[get watch list] ✔
├ source.toolkit.fluxcd.io
│ └ gitrepositories verbs=[get watch list] ✔
└ tekton.dev
├ pipelineruns verbs=[get watch list] ✔
└ taskruns verbs=[get watch list] ✔
The plugin will also highlight when configured roles are missing:
❯ kubectl permissions invalid-sa
⛔ WARNING roles.rbac.authorization.k8s.io "missing-role" not found
⛔ WARNING API Group bingbong.io does not exist
⛔ WARNING Resource invalid does not exist
ServiceAccount/invalid-sa (test-namespace)
├ RoleBinding/missing-role-binding (test-namespace)
│ └ Role/missing-role (missing-role) ❌ - MISSING!!
└ RoleBinding/missing-role-binding2 (test-namespace)
└ Role/invalid-role (test-namespace)
├ bingbong.io
│ └ something verbs=[get watch list] ❌ (API Group 'bingbong.io' does not exist)
├ source.toolkit.fluxcd.io
│ └ gitrepositories verbs=[laugh] ❌ (Permissions 'laugh' are missing)
└ tekton.dev
└ invalid verbs=[get] ❌ (Resource 'invalid' does not exist)
The plugin also has the ability to display any secrets attached to a service account, either as a secret or an imagePullSecret.
❯ kubectl permissions my-sa --include-secrets
ImagePullSecrets
└ registries-credentials ✔
└ type=kubernetes.io/dockerconfigjson
Secrets
├ git-ssh ✔
│ ├ tekton.dev/git-0=https://my-git-server
│ └ type=kubernetes.io/basic-auth
└ registry-credentials ✔
├ tekton.dev/docker-0=docker.io/my-docker-registry
└ type=kubernetes.io/dockerconfigjson
To display the current version of the plugin you can use:
❯ kubectl permissions --version
0.0.4
All artifacts are checksummed, and the checksum.txt file is signed using cosign.
- Download your required binary, and also the certificate(
checksums.txt.pem), signature(checksums.txt.sig) and thechecksums.txt(this file contains a checksum for each artifact) file.
VERSION=v0.0.6
https://github.com/garethjevans/kubectl-permissions/releases/download/$VERSION/checksums.txt.pem
https://github.com/garethjevans/kubectl-permissions/releases/download/$VERSION/checksums.txt.sig
https://github.com/garethjevans/kubectl-permissions/releases/download/$VERSION/checksums.txt- Now you can verify the signature:
cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt- To wrap up, you can verify the SHA256 checksums match the downloaded binary:
sha256sum --ignore-missing -c checksums.txt