Review Access – kubectl plugin to show an access matrix for server resources
Have you ever wondered what access rights you have on a provided kubernetes cluster? For single resources you can use
kubectl auth can-i list deployments, but maybe you are looking for a complete overview? This is what
rakkess is for. It lists access rights for the current user and all server resources, similar to
kubectl auth can-i --list.
It is also useful to find out who may interact with some server resource. Check out the sub-command
rakkess resource below.
Show access for all resources
- … at cluster scope
- … in some namespace
rakkess --namespace default
- … with verbs
rakkess --verbs get,delete,watch,patch
- … for another user
rakkess --as other-user
- … for another service-account
rakkess --sa kube-system:namespace-controller
- … and combine with common
KUBECONFIG=otherconfig rakkess --context other-context
Show subjects with access to a given resource1
- …globally in all namespaces (only considers
rakkess resource configmaps
- …in a given namespace (considers
rakkess resource configmaps -n default
- …with shorthand notation
rakkess r cm # same as rakkess resource configmaps
- .. with custom verbs
rakkess r cm --verbs get,delete,watch,patch
Some roles only apply to resources with a specific name. To review such configurations, provide the resource name as additional argument. For example, show access rights for the
ingress-controller-leader-nginx in namespace
ingress-nginx (note the subtle difference for
nginx-ingress-serviceaccount to the previous example):
rakkess resource needs to query
ClusterRoles, and their bindings, it usually requires administrative cluster access.
Also see Usage.
There are several ways to install
rakkess. The recommended installation method is via
Krew is a
kubectl plugin manager. If you have not yet installed
krew, get it at https://github.com/kubernetes-sigs/krew. Then installation is as simple as
kubectl krew install access-matrix
The plugin will be available as
kubectl access-matrix, see doc/USAGE for further details.
When using the binaries for installation, also have a look at doc/USAGE.
curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.4.4/rakkess-amd64-linux.tar.gz
&& tar xf rakkess-amd64-linux.tar.gz rakkess-amd64-linux
&& chmod +x rakkess-amd64-linux
&& mv -i rakkess-amd64-linux $GOPATH/bin/rakkess
curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.4.4/rakkess-amd64-darwin.tar.gz
&& tar xf rakkess-amd64-darwin.tar.gz rakkess-amd64-darwin
&& chmod +x rakkess-amd64-darwin
&& mv -i rakkess-amd64-darwin $GOPATH/bin/rakkess
Build on host
- go 1.13 or newer
- GNU make
export PLATFORMS=$(go env GOOS)
make all # binaries will be placed in out/
Build in docker
mkdir rakkess && chdir rakkess
curl -Lo Dockerfile https://raw.githubusercontent.com/corneliusweig/rakkess/master/Dockerfile
docker build . -t rakkess-builder
docker run --rm -v $PWD:/go/bin/ --env PLATFORMS=$(go env GOOS) rakkess
docker rmi rakkess-builder
Binaries will be placed in the current directory.
|What are others saying about rakkess?|
|“Well, that looks handy!
|“that’s indeed pretty helpful.
|“THE BOMB. Love it.” – @ralph_squillace|
|“This made my day. Well, not actually today but I definitively will use it a lot.” – @Soukron|
: This mode was inspired by kubectl-who-can
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.