rbac-lookup

Find roles for user

$ rbac-lookup [user@example.com]

$ rbac-lookup [service-account-name] --kind serviceaccount

$ rbac-lookup [group-name] --kind group

$ rbac-lookup [subject] -o wide

$ rbac-lookup [subject] -n [namespace]

$ rbac-lookup [subject] --all-namespaces

rbac-lookup [--kind type] [-n namespace] [-o format] [options] subject

rbac-lookup queries a Kubernetes cluster to find all RBAC role bindings associated with a given subject, answering the question "what permissions does this user, group, or service account have?" It searches both ClusterRoleBindings and namespace-scoped RoleBindings to provide a complete picture of a subject's access across the cluster.
The tool supports lookups by user identity, group membership, and service account name via the --kind flag. Wide output format (-o wide) displays detailed binding information including the namespace, role type, and source binding for each permission grant. This makes it particularly useful for security audits and troubleshooting access issues in clusters with complex RBAC configurations.

--kind TYPE

Subject kind (user, group, serviceaccount).

Namespace to search.

All namespaces.

Output format.

GKE-specific mode.

Kubeconfig file.

~/.kube/config

Default kubeconfig file specifying cluster connections, authentication credentials, and context selection. Override with -k flag.

Requires cluster read access. Large clusters may be slow. Aggregated roles not expanded.

rbac-lookup was created by FairwindsOps for Kubernetes RBAC auditing. It simplifies understanding of complex role binding relationships.

kubectl(1), rbac-tool(1), kubeaudit(1)