If you installed via krew do
kubectl access-matrix
-
--verbs
show access for given verbs (valid verbs arecreate
,get
,list
,watch
,update
,patch
,delete
, anddeletecollection
). It also accepts the shorthands*
orall
to enable all verbs. -
--namespace
show access rights for the given namespace. Also restricts the list to namespaced resources. -
--verbosity
set the log level (one of debug, info, warn, error, fatal, panic). -
--sa
like the--as
option, but impersonate as a service-account. The service-account must either be qualified with its namespace (--sa <namespace>:<sa-name>
) or be combined with the--namespace
option. The following is equivalent:kubectl access-matrix --sa <sa-name> -n <namespace> kubectl access-matrix --sa <namespace>:<sa-name> -n <namespace>
Note: this is a shorthand for
--as system:serviceaccount:<namespace>:<sa-name>
. -
--diff-with
switches into diff mode and compares the access rights with the given modifications. The flag accepts arguments in the formflagname=flagvalue
, where flagname is any validaccess-matrix
flag. Lines and verbs without diff are not displayed.
- ✔ means that the modified settings have access for this resource and verb, whereas the original settings did not.
- ✖ means that the modified settings have no access for this resource and verb, whereas the original settings did.
-
... at cluster scope
kubectl access-matrix
This defaults to the verbs
list
,create
,update
, anddelete
because they are the most common ones. -
... in some namespace
kubectl access-matrix --namespace default
-
... with verbs
kubectl access-matrix --verbs get,delete,watch,patch
-
... for another user
kubectl access-matrix --as other-user
-
... for another service-account
kubectl access-matrix --sa kube-system:namespace-controller
-
... and combine with common
kubectl
parametersKUBECONFIG=otherconfig kubectl access-matrix --context other-context
-
... for a different service account
kubectl access-matrix --diff-with sa=kube-system:namespace-controller
-
... for a different context
kubectl access-matrix --diff-with context=other
-
... for a particular user in different namespaces
kubectl access-matrix --as somebody -n default --diff-with n=kube-system
Note:
--diff-with
accepts flags in the formflagname=flagvalue
(without leading --). All rakkess flags can be overridden.
-
...globally in all namespaces (only considers
ClusterRoleBindings
)kubectl access-matrix resource configmaps # or maybe you find the 'for' alias easier to read kubectl access-matrix for configmaps
-
...in a given namespace (considers
RoleBindings
andClusterRoleBindings
)kubectl access-matrix resource configmaps -n default
-
...with shorthand notation
kubectl access-matrix r cm # same as kubectl access-matrix resource configmaps
-
.. with custom verbs
kubectl access-matrix r cm --verbs get,delete,watch,patch
Some roles only apply to resources with a specific name.
To review such configurations, provide the resource name as additional argument.
For example, show access rights for the ConfigMap
called ingress-controller-leader-nginx
in namespace ingress-nginx
:
kubectl access-matrix r cm ingress-controller-leader-nginx -n ingress-nginx --verbs=all
As kubectl access-matrix resource
needs to query Roles
, ClusterRoles
, and their bindings, it usually requires administrative cluster access.
kubectl access-matrix help
Note that in the help, the tool is referred to as rakkess
, which is the standard name when installed as stand-alone tool.
Completion does currently not work when used as a kubectl
plugin. When used stand-alone, you can do
source <(rakkess completion bash) # for bash users
source <(rakkess completion zsh) # for zsh users
Also see rakkess completion --help
for further instructions.
If you do not have krew
installed, visit https://github.com/kubernetes-sigs/krew.
kubectl krew install access-matrix
Most users will have installed rakkess
via krew,
so the plugin is already correctly installed.
Otherwise, rename rakkess
to kubectl-access_matrix
and put it in some directory from your $PATH
variable.
Then you can invoke the plugin via kubectl access-matrix
Put the rakkess
binary in some directory from your $PATH
variable. For example
sudo mv -i rakkess /usr/bin/rakkess
Then you can invoke the plugin via rakkess