Comments (5)
@MaxRink - let me just make sure I am getting this right.
If I run rbac-tool show --scope=cluster
- you would be getting:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations: null
creationTimestamp: null
labels: null
name: custom-cluster-role
rules:
- apiGroups:
- ""
resources:
- componentstatuses
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- namespaces/finalize
verbs:
- update
- apiGroups:
- ""
resources:
- namespaces/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- nodes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- nodes/proxy
verbs:
- create
- delete
- get
- patch
- update
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- persistentvolumes/status
verbs:
- get
- patch
- update
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices/status
verbs:
- get
- patch
- update
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
verbs:
- get
- patch
- update
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/status
verbs:
- get
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments/status
verbs:
- get
- patch
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions/status
verbs:
- get
- patch
- update
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas/status
verbs:
- get
- patch
- update
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations/status
verbs:
- get
- patch
- update
from rbac-tool.
yes, ive quickly PoCed that with MaxRink@d8b1bda
basically scope cluster would get you all the tings that arent namespaced
from rbac-tool.
@MaxRink great - Iβll have that merged and released asap.
Out of curiosity- whatβs the entire workflow in which you generate this type of policy ? Can you share some color here ππΌ
from rbac-tool.
Available as part of v1.12.0
from rbac-tool.
We use it in combination with https://github.com/FairwindsOps/rbac-manager to generate serviceaccounts that have full rights in some namespaces but not in others, while basically being read-only everywhere.
Basically to prevent teams from altering platform components
from rbac-tool.
Related Issues (20)
- Cluster Analysis | Report | Report which resources are related to rule violations HOT 2
- Add subresources to generate HOT 3
- analyze: Failed to evaluate rules - no such key: allowedTo HOT 3
- Generate policy with allow instead of deny HOT 1
- no access to psp == viz fail even though showpsp=false passed HOT 1
- E0816 17:50:50.905695 32074 run.go:120] "command failed" err="unknown command \"rbac-tool\" for \"kubectl\"" HOT 1
- "show" command does not deduplicate apigroups with different versions HOT 1
- Binary seems broken resulting in segmentation fault on invocation (MacOS) HOT 13
- kubectl rbac-tool gen is written to stderr HOT 4
- No visualization when run on openshift cluster HOT 6
- Subresources support for generated rules HOT 7
- Show [Cluster]RoleBinding in rbac-tool lookup HOT 3
- Avoid cluster resources when generating Roles
- rbac-tool who-can create <custom_resource> fails with `memory budget exceeded` (1.3 GB usage) HOT 1
- Some resources are not covered by "show", but exist in cluster HOT 1
- segmentation fault on who-can HOT 2
- Analysis/Audit rule listing bindings for non-existant accounts
- Add metadata flags for name, namespace and annotations HOT 5
- ExclusionCount Stats without explaination HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rbac-tool.