rbac-tool
Analyze and visualize Kubernetes RBAC policies
TLDR
SYNOPSIS
rbac-tool command [options]
DESCRIPTION
rbac-tool analyzes and visualizes Kubernetes RBAC (Role-Based Access Control) configurations. It helps administrators understand who can do what, identify over-privileged subjects, generate least-privilege policies, and visualize the role/subject graph.The `viz` command produces a Graphviz DOT graph or an interactive HTML page. `policy-rules` and `lookup` accept regular expressions, making it easy to query large clusters.
PARAMETERS
--outformat FORMAT
Output format. For viz: `dot` or `html`. For data commands: `json`, `yaml`, `table`.-e REGEX
Subject filter as a regular expression (used with lookup, policy-rules).--config FILE
Custom analysis ruleset file (used with analysis).--cluster-context NAME
kubeconfig context to use.--exclude-namespaces LIST
Comma-separated namespaces to exclude from visualization.--generated-type TYPE
Role or ClusterRole (used with generate).--allowed-verbs LIST
Verbs to include in generated role.--allowed-groups LIST
API groups to include in generated role.--deny-resources LIST
Resources to exclude from generated role.--for-groups LIST
API groups to include with the show command.-f PATH|URL
Source file, directory, or HTTP URL of audit events (used with auditgen).
CONFIGURATION
~/.kube/config
Default kubeconfig used to connect to the target cluster.
COMMANDS
analysis
Examine RBAC permissions to identify overly permissive principals and risky configurations.viz
Generate a visual representation of RBAC relationships (DOT or HTML).who-can verb kind|kind/name|url
Find all subjects with permission to perform a given action on a resource.lookup
List Roles and ClusterRoles assigned to specified users, service accounts, or groups.policy-rules
List RBAC policy rules associated with the given subjects.generate | gen
Generate a Role or ClusterRole with explicit permissions.auditgen
Generate RBAC policies from Kubernetes audit events.show
Generate a ClusterRole containing the cluster's available permissions.whoami
Display the currently authenticated subject as seen by the API server.version
Print rbac-tool version.
CAVEATS
Requires a working kubeconfig. Some commands need cluster-admin privileges to enumerate all roles and bindings. Generated policies should be reviewed before applying.
HISTORY
rbac-tool is developed by Alcide (now part of Rapid7) and released under Apache 2.0. It was built to help Kubernetes administrators understand and manage complex RBAC configurations.
