【每日一个云原生小技巧 #3】rbac-lookup

郭旭东

发布于 2023-10-23 17:56:37

1240

发布于 2023-10-23 17:56:37

文章被收录于专栏：云原生工具箱

rbac-lookup 是一个CLI 命令行工具，用于轻松找到与 Kubernetes 角色和集群角色绑定的 user、service account 或 group name。

安装

Homebrew

brew install FairwindsOps/tap/rbac-lookup

ASDF

asdf plugin add rbac-lookup
asdf install rbac-lookup latest
asdf global rbac-lookup latest

使用

轻松查 user、 service account 或 group 匹配的 ROLE

rbac-lookup rob

SUBJECT                   SCOPE             ROLE
rob@example.com           cluster-wide      ClusterRole/view
rob@example.com           nginx-ingress     ClusterRole/edit

通过 --output wide 可以查看 SOURCE

rbac-lookup rob --output wide

SUBJECT                   SCOPE             ROLE                SOURCE
User/rob@example.com      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
User/rob@example.com      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
User/ron@example.com      web               ClusterRole/edit    RoleBinding/ron-edit
ServiceAccount/rops       infra             ClusterRole/admin   RoleBinding/rops-admin

使用 --kind flag 来过滤 RBAC 指定类似类型

rbac-lookup ro --output wide --kind user

SUBJECT                   SCOPE             ROLE                SOURCE
User/rob@example.com      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
User/rob@example.com      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
User/ron@example.com      web               ClusterRole/edit    RoleBinding/ron-edit

其他 flag

      --context string      context to use for Kubernetes config
      --gke                 enable GKE integration
  -h, --help                help for rbac-lookup
  -k, --kind string         filter by this RBAC subject kind (user, group, serviceaccount)
      --kubeconfig string   config file location
  -o, --output string       output format (normal, wide)

本文参与腾讯云自媒体同步曝光计划，分享自微信公众号。

原始发表：2023-10-17，如有侵权请联系 cloudcommunity@tencent.com 删除

edit