As a security conscious Kubernetes operator, I take security extremely seriously. When new services are rolled out, I do everything in my power to ensure roles and clusterroles have the minimum number of permissions they need. Creating permissions is easy to do with audit2rbac, but how do you view them once they are in place? I use the Kubectl Krew plug-in manager, which provides a way to easily install a number of useful plug-ins. One one these plug-ins, access-matrix, allows you to view the permissions for a user or group in a human readable form:
$ kubectl access-matrix --as system:serviceaccount:kube-system:kube-proxy
NAME LIST CREATE UPDATE DELETE
apiservices.apiregistration.k8s.io ✖ ✖ ✖ ✖
bindings ✖
certificatesigningrequests.certificates.k8s.io ✖ ✖ ✖ ✖
clusterrolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
clusterroles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
componentstatuses ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
csidrivers.storage.k8s.io ✖ ✖ ✖ ✖
csinodes.storage.k8s.io ✖ ✖ ✖ ✖
customresourcedefinitions.apiextensions.k8s.io ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
endpoints ✔ ✖ ✖ ✖
endpointslices.discovery.k8s.io ✔ ✖ ✖ ✖
events ✖ ✔ ✔ ✖
events.events.k8s.io ✖ ✔ ✔ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingressclasses.networking.k8s.io ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
mutatingwebhookconfigurations.admissionregistration.k8s.io ✖ ✖ ✖ ✖
namespaces ✖ ✖ ✖ ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
nodes ✔ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
persistentvolumes ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✖ ✖ ✖ ✖
podsecuritypolicies.policy ✖ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖
priorityclasses.scheduling.k8s.io ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
runtimeclasses.node.k8s.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
selfsubjectaccessreviews.authorization.k8s.io ✔
selfsubjectrulesreviews.authorization.k8s.io ✔
serviceaccounts ✖ ✖ ✖ ✖
services ✔ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
storageclasses.storage.k8s.io ✖ ✖ ✖ ✖
subjectaccessreviews.authorization.k8s.io ✖
tokenreviews.authentication.k8s.io ✖
validatingwebhookconfigurations.admissionregistration.k8s.io ✖ ✖ ✖ ✖
volumeattachments.storage.k8s.io ✖ ✖ ✖ ✖
The output shows the permissions allowed for each RBAC verb, and is formatted in a easily readable form. You can also use the “–verbs” option to cherry pick the verbs you want to see:
$ kubectl access-matrix -n kube-system --verbs get,list,watch,update,patch,delete --as system:serviceaccount:kube-system:coredns
NAME GET LIST WATCH UPDATE PATCH DELETE
bindings
configmaps ✖ ✖ ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖ ✖ ✖
endpoints ✖ ✔ ✔ ✖ ✖ ✖
endpointslices.discovery.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖ ✖ ✖
pods ✖ ✔ ✔ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖ ✖ ✖
services ✖ ✔ ✔ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖ ✖ ✖
If you want to further refine the output, you can add the “–as-group” option to view permissions by user and group. Amazing tool, and definitely one to keep in your bat belt!