【每日一个云原生小技巧 #3】rbac-lookup

rbac-lookup 是一个CLI 命令行工具,用于轻松找到与 Kubernetes 角色和集群角色绑定的 user、service account 或 group name。

安装

Homebrew

代码语言:javascript
复制
brew install FairwindsOps/tap/rbac-lookup

ASDF

代码语言:javascript
复制
asdf plugin add rbac-lookup
asdf install rbac-lookup latest
asdf global rbac-lookup latest

使用

轻松查 user、 service account 或 group 匹配的 ROLE

代码语言:javascript
复制
rbac-lookup rob

SUBJECT SCOPE ROLE
rob@example.com cluster-wide ClusterRole/view
rob@example.com nginx-ingress ClusterRole/edit

通过 --output wide 可以查看 SOURCE

代码语言:javascript
复制
rbac-lookup rob --output wide

SUBJECT SCOPE ROLE SOURCE
User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view
User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit
User/ron@example.com web ClusterRole/edit RoleBinding/ron-edit
ServiceAccount/rops infra ClusterRole/admin RoleBinding/rops-admin

使用 --kind flag 来过滤 RBAC 指定类似类型

代码语言:javascript
复制
rbac-lookup ro --output wide --kind user

SUBJECT SCOPE ROLE SOURCE
User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view
User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit
User/ron@example.com web ClusterRole/edit RoleBinding/ron-edit

其他 flag

代码语言:javascript
复制
      --context string      context to use for Kubernetes config
--gke enable GKE integration
-h, --help help for rbac-lookup
-k, --kind string filter by this RBAC subject kind (user, group, serviceaccount)
--kubeconfig string config file location
-o, --output string output format (normal, wide)