LinuxCommandLibrary

rbac-lookup

Look up Kubernetes RBAC roles for users

TLDR

Find roles for user

$ rbac-lookup [user@example.com]
copy
Find roles for service account
$ rbac-lookup [service-account-name] --kind serviceaccount
copy
Find roles for group
$ rbac-lookup [group-name] --kind group
copy
Output wide format
$ rbac-lookup [subject] -o wide
copy
Search in namespace
$ rbac-lookup [subject] -n [namespace]
copy
All bindings for subject
$ rbac-lookup [subject] --all-namespaces
copy

SYNOPSIS

rbac-lookup [--kind type] [-n namespace] [-o format] [options] subject

DESCRIPTION

rbac-lookup queries a Kubernetes cluster to find all RBAC role bindings associated with a given subject, answering the question "what permissions does this user, group, or service account have?" It searches both ClusterRoleBindings and namespace-scoped RoleBindings to provide a complete picture of a subject's access across the cluster.
The tool supports lookups by user identity, group membership, and service account name via the --kind flag. Wide output format (-o wide) displays detailed binding information including the namespace, role type, and source binding for each permission grant. This makes it particularly useful for security audits and troubleshooting access issues in clusters with complex RBAC configurations.

PARAMETERS

--kind TYPE

Subject kind (user, group, serviceaccount).
-n, --namespace NS
Namespace to search.
-A, --all-namespaces
All namespaces.
-o, --output FORMAT
Output format.
--gke
GKE-specific mode.
-k, --kubeconfig FILE
Kubeconfig file.

CONFIGURATION

~/.kube/config

Default kubeconfig file specifying cluster connections, authentication credentials, and context selection. Override with -k flag.

CAVEATS

Requires cluster read access. Large clusters may be slow. Aggregated roles not expanded.

HISTORY

rbac-lookup was created by FairwindsOps for Kubernetes RBAC auditing. It simplifies understanding of complex role binding relationships.

SEE ALSO

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community