Skip to content
A collection of good practices and tools for Kubernetes RBAC
Branch: master
Clone or download
Latest commit 37a7b3b Jul 21, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
CNAME Create CNAME May 24, 2019
LICENSE fixes rbIAM entry Jul 21, 2019

A site dedicated to collecting good practices and tooling around Kubernetes RBAC. Both pull requests and issues are welcome.

Official Kubernetes docs

Talks and articles


Generators and operators

  • liggitt/audit2rbac: takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
  • reactiveops/rbac-manager: operator that supports declarative configuration for RBAC with new custom resources.

Interactive queries

  • corneliusweig/rakkess: show an access matrix for server resources.
  • reactiveops/rbac-lookup: allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name.
  • sbueringer/kubernetes-rbacq: simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.
  • Ladicle/kubectl-bindrole: finding Kubernetes roles bound to a specified service account, group or user.
  • aquasecurity/kubectl-who-can: show all the subjects who have permission to perform a given verb on specified resources, for example, find all the subjects who can create pods in a given namespace, or who can delete nodes in the cluster.
  • mhausenblas/rbIAM: a unified AWS IAM & Kubernetes RBAC access control exploration tool.


You can’t perform that action at this time.