A site dedicated to good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
For recipes, tips and tricks around RBAC see recipes.rbac.dev.
Official Kubernetes docs
- Using RBAC Authorization
- Controlling Access to the Kubernetes API
- Configure Service Accounts for Pods
Talks and articles
- Effective RBAC by Jordan Liggitt
- Configure RBAC In Your Kubernetes Cluster via Bitnami
- Using RBAC, Generally Available in Kubernetes v1.8 by Eric Chiang
- On defaults in Kubernetes RBAC by Michael Hausenblas
- Stop using admin credentials in kubectl by Balkrishna Pandey
- Testing Kubernetes RBAC by Tom Gallacher
- Demystifying RBAC in Kubernetes via CNCF and Bitnami (video)
- Configuring permissions in Kubernetes with RBAC via Containerum
- Kubernetes Authorization via Open Policy Agent by Stefan Büringer
- Configure RBAC in Kubernetes Like A Boss by Emre Savcı
- Securing Kubernetes Clusters by Eliminating Risky RBAC Permissions by Eviatar Gerzi
- Compromising Kubernetes Cluster by Exploiting RBAC Permissions by Eviatar Gerzi
- Permission manager : RBAC management for Kubernetes by Saiyam Pathak
- Inside Kubernetes RBAC by Dominik Tornow
- cyberark/KubiScan: a tool by Eviatar Gerzi to scan Kubernetes cluster for risky RBAC permissions
- appvia/krane: a Kubernetes RBAC static analysis and visualisation tool
- alcideio/rbac-tool: Collection of Kubernetes RBAC power toys - Visualize, Generate & Query by Alcide
Generators and operators
- liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
- fairwindsops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.
- corneliusweig/rakkess: show an access matrix for server resources.
- fairwindsops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
- sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
- Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
- aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
- mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.
- jasonrichardsmith/rbac-view: visualizes RBAC permissions in tabular format in your browser.
- team-soteria/rback: generates a graph representation (in Graphviz
dotformat) of a Kubernetes cluster's RBAC settings.
- sighupio/permission-manager: super-easy and user-friendly RBAC management for Kubernetes. You can create users, assign namespaces/permissions, and distribute Kubeconfig YAML files via a nice and easy web UI.