A site dedicated to collecting good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.
Official Kubernetes docs
- Using RBAC Authorization
- Controlling Access to the Kubernetes API
- Configure Service Accounts for Pods
Talks and articles
- Effective RBAC by Jordan Liggitt
- Configure RBAC In Your Kubernetes Cluster via Bitnami
- Using RBAC, Generally Available in Kubernetes v1.8 by Eric Chiang
- On defaults in Kubernetes RBAC by Michael Hausenblas
- Stop using admin credentials in kubectl by Balkrishna Pandey
- Testing Kubernetes RBAC by Tom Gallacher
- Demystifying RBAC in Kubernetes via CNCF and Bitnami (video)
- Configuring permissions in Kubernetes with RBAC via Containerum
- Kubernetes Authorization via Open Policy Agent by Stefan Büringer
Generators and operators
- liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
- reactiveops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.
- corneliusweig/rakkess: show an access matrix for server resources.
- reactiveops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
- sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
- Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
- aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
- mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.