【每日一个云原生小技巧 #3】rbac-lookup

发布于

rbac-lookup 是一个CLI 命令行工具,用于轻松找到与 Kubernetes 角色和集群角色绑定的 user、service account 或 group name。

安装

Homebrew

代码语言:javascript
复制
brew install FairwindsOps/tap/rbac-lookup

ASDF

代码语言:javascript
复制
asdf plugin add rbac-lookup
asdf install rbac-lookup latest
asdf global rbac-lookup latest

使用

轻松查 user、 service account 或 group 匹配的 ROLE

代码语言:javascript
复制
rbac-lookup rob

SUBJECT                   SCOPE             ROLE

rob@example.com           cluster-wide      ClusterRole/view

rob@example.com           nginx-ingress     ClusterRole/edit

通过 --output wide 可以查看 SOURCE

代码语言:javascript
复制
rbac-lookup rob --output wide


SUBJECT                   SCOPE             ROLE                SOURCE

User/rob@example.com      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view

User/rob@example.com      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit

User/ron@example.com      web               ClusterRole/edit    RoleBinding/ron-edit

ServiceAccount/rops       infra             ClusterRole/admin   RoleBinding/rops-admin

使用 --kind flag 来过滤 RBAC 指定类似类型

代码语言:javascript
复制
rbac-lookup ro --output wide --kind user


SUBJECT                   SCOPE             ROLE                SOURCE

User/rob@example.com      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view

User/rob@example.com      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit

User/ron@example.com      web               ClusterRole/edit    RoleBinding/ron-edit

其他 flag

代码语言:javascript
复制
      --context string      context to use for Kubernetes config

--gke                 enable GKE integration

-h, --help                help for rbac-lookup

-k, --kind string         filter by this RBAC subject kind (user, group, serviceaccount)

--kubeconfig string   config file location

-o, --output string       output format (normal, wide)

#edit#lookup#rbac#技巧#云原生