Skip to content
/ awrbacs Public

AWACS for RBAC. Tool for auditing CRUD permissions in Kubernetes' RBAC.

24 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lobuhi/awrbacs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
awrbacs_logo.png
awrbacs_logo.png
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

AWRBACS

AWACS for RBAC. Tool for auditing CRUD permissions in Kubernetes' RBAC.

AWRBACS

Install

git clone https://github.com/lobuhi/awrbacs
cd awrbacs
go build .

How to

Usage of ./awrbacs:

  -as value
        Usernames to impersonate
  -auto
        Automatically enumerate all Users and ServiceAccounts in RoleBindings and ClusterRoleBindings
  -f string
        Path to a file containing a list of users to check
  -kubeconfig string
        Path to the kubeconfig file (default "$HOME/.kube/config")
  -no-kube-system
        Do not check system:* users nor ServiceAccounts in kube-system.
  -sa value
        Service accounts to impersonate in the format namespace:serviceaccount
  -self
        Use current kubeconfig context

Examples:

Test multiple users and serviceaccounts:

awrbacs -sa kube-system:root-ca-cert-publisher -as jane -sa kube-system:replicaset-controller -sa prod:prod-sa -as bob

Find subjects defined in RoleBindings and ClusterRoleBindings and omit those users defined as system:* or serviceaccounts in kube-system namespace:

awrbacs -auto --no-kube-system

About

AWACS for RBAC. Tool for auditing CRUD permissions in Kubernetes' RBAC.

Resources

Readme
Activity

Stars

24 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages