LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

rbac-tool

Analyze and visualize Kubernetes RBAC policies

TLDR

Show who can perform an action on a resource
$ rbac-tool who-can [get] [pods]
copy
Visualize RBAC as HTML
$ rbac-tool viz --outformat html > [rbac.html]
copy
Look up roles assigned to a specific subject
$ rbac-tool lookup -e [user@example.com]
copy
List policy rules for a subject
$ rbac-tool policy-rules -e [system:serviceaccount:default:.*]
copy
Analyze RBAC for risky configurations
$ rbac-tool analysis
copy
Generate a ClusterRole from audit events
$ rbac-tool auditgen -f [audit.log]
copy
Show current user's permissions
$ rbac-tool whoami
copy

SYNOPSIS

rbac-tool command [options]

DESCRIPTION

rbac-tool analyzes and visualizes Kubernetes RBAC (Role-Based Access Control) configurations. It helps administrators understand who can do what, identify over-privileged subjects, generate least-privilege policies, and visualize the role/subject graph.The `viz` command produces a Graphviz DOT graph or an interactive HTML page. `policy-rules` and `lookup` accept regular expressions, making it easy to query large clusters.

PARAMETERS

--outformat FORMAT

Output format. For viz: `dot` or `html`. For data commands: `json`, `yaml`, `table`.
-e REGEX
Subject filter as a regular expression (used with lookup, policy-rules).
--config FILE
Custom analysis ruleset file (used with analysis).
--cluster-context NAME
kubeconfig context to use.
--exclude-namespaces LIST
Comma-separated namespaces to exclude from visualization.
--generated-type TYPE
Role or ClusterRole (used with generate).
--allowed-verbs LIST
Verbs to include in generated role.
--allowed-groups LIST
API groups to include in generated role.
--deny-resources LIST
Resources to exclude from generated role.
--for-groups LIST
API groups to include with the show command.
-f PATH|URL
Source file, directory, or HTTP URL of audit events (used with auditgen).

CONFIGURATION

~/.kube/config

Default kubeconfig used to connect to the target cluster.

COMMANDS

analysis

Examine RBAC permissions to identify overly permissive principals and risky configurations.
viz
Generate a visual representation of RBAC relationships (DOT or HTML).
who-can verb kind|kind/name|url
Find all subjects with permission to perform a given action on a resource.
lookup
List Roles and ClusterRoles assigned to specified users, service accounts, or groups.
policy-rules
List RBAC policy rules associated with the given subjects.
generate | gen
Generate a Role or ClusterRole with explicit permissions.
auditgen
Generate RBAC policies from Kubernetes audit events.
show
Generate a ClusterRole containing the cluster's available permissions.
whoami
Display the currently authenticated subject as seen by the API server.
version
Print rbac-tool version.

CAVEATS

Requires a working kubeconfig. Some commands need cluster-admin privileges to enumerate all roles and bindings. Generated policies should be reviewed before applying.

HISTORY

rbac-tool is developed by Alcide (now part of Rapid7) and released under Apache 2.0. It was built to help Kubernetes administrators understand and manage complex RBAC configurations.

SEE ALSO

Copied to clipboard
Kai