Skip to content

Latest commit

 

History

History
118 lines (93 loc) · 3.73 KB

USAGE.md

File metadata and controls

118 lines (93 loc) · 3.73 KB

Usage

rakkess demo

If you installed via krew do

kubectl access-matrix

Options

  • --verbs show access for given verbs (valid verbs are create, get, list, watch, update, patch, delete, and deletecollection). It also accepts the shorthands * or all to enable all verbs.

  • --namespace show access rights for the given namespace. Also restricts the list to namespaced resources.

  • --verbosity set the log level (one of debug, info, warn, error, fatal, panic).

  • --sa like the --as option, but impersonate as a service-account. The service-account must either be qualified with its namespace (--sa <namespace>:<sa-name>) or be combined with the --namespace option. The following is equivalent:

    kubectl access-matrix --sa <sa-name> -n <namespace>
kubectl access-matrix --sa <namespace>:<sa-name> -n <namespace>

    Note: this is a shorthand for --as system:serviceaccount:<namespace>:<sa-name>.

Examples

Show access to all resources

  • ... at cluster scope

    kubectl access-matrix

    This defaults to the verbs list, create, update, and delete because they are the most common ones.

  • ... in some namespace

    kubectl access-matrix --namespace default

  • ... with verbs

    kubectl access-matrix --verbs get,delete,watch,patch

  • ... for another user

    kubectl access-matrix --as other-user

  • ... for another service-account

    kubectl access-matrix --sa kube-system:namespace-controller

  • ... and combine with common kubectl parameters

    KUBECONFIG=otherconfig kubectl access-matrix --context other-context

Show subjects with access to a given resource

rakkess demo

  • ...globally in all namespaces (only ClusterRoleBindings)

    kubectl access-matrix resource configmaps

  • ...in a given namespace (RoleBindings and ClusterRoleBindings)

    kubectl access-matrix resource configmaps -n default

  • ...with shorthand notation

    kubectl access-matrix r cm   # same as kubectl access-matrix resource configmaps

  • .. with custom verbs

    kubectl access-matrix r cm --verbs get,delete,watch,patch

As kubectl access-matrix resource needs to query Roles, ClusterRoles, and their bindings, it usually requires administrative cluster access.

Getting help

kubectl access-matrix help

Note that in the help, the tool is referred to as rakkess, which is the standard name when installed as stand-alone tool.

Completion

Completion does currently not work when used as a kubectl plugin. When used stand-alone, you can do

source <(rakkess completion bash) # for bash users
source <(rakkess completion zsh)  # for zsh users

Also see rakkess completion --help for further instructions.

Installation

Via krew

If you do not have krew installed, visit https://github.com/kubernetes-sigs/krew.

kubectl krew install access-matrix

As kubectl plugin

Most users will have installed rakkess via krew, so the plugin is already correctly installed. Otherwise, rename rakkess to kubectl-access_matrix and put it in some directory from your $PATH variable. Then you can invoke the plugin via kubectl access-matrix

Standalone

Put the rakkess binary in some directory from your $PATH variable. For example

sudo mv -i rakkess /usr/bin/rakkess

Then you can invoke the plugin via rakkess