Giter Site home page Giter Site logo

fairwindsops / rbac-lookup Goto Github PK

View Code? Open in Web Editor NEW
840.0 30.0 44.0 1.12 MB

Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster

Home Page: https://fairwinds.com

License: Apache License 2.0

Go 95.67% Makefile 2.53% Shell 1.80%
kubernetes rbac authorization fairwinds-official hacktoberfest

rbac-lookup's Introduction

RBAC Lookup is a CLI that allows you to easily find Kubernetes roles and cluster roles bound to any user, service account, or group name. Binaries are generated with goreleaser for each release for simple installation.

Documentation

Check out the documentation at docs.fairwinds.com

Installation

Homebrew

brew install FairwindsOps/tap/rbac-lookup

ASDF

asdf plugin add rbac-lookup
asdf install rbac-lookup latest
asdf global rbac-lookup latest

RBAC Manager

While RBAC Lookup helps provide visibility into Kubernetes auth, RBAC Manager helps make auth simpler to manage. This is a Kubernetes operator that enables more concise RBAC configuration that is easier to scale and automate. For more information, see RBAC Manager on GitHub.

Join the Fairwinds Open Source Community

The goal of the Fairwinds Community is to exchange ideas, influence the open source roadmap, and network with fellow Kubernetes users. Chat with us on Slack or join the user group to get involved!

Love Fairwinds Open Source? Automate Fairwinds Open Source for free with Fairwinds Insights. Click to learn more

Other Projects from Fairwinds

Enjoying rbac-lookup? Check out some of our other projects:

  • Polaris - Audit, enforce, and build policies for Kubernetes resources, including over 20 built-in checks for best practices
  • Goldilocks - Right-size your Kubernetes Deployments by compare your memory and CPU settings against actual usage
  • Pluto - Detect Kubernetes resources that have been deprecated or removed in future versions
  • Nova - Check to see if any of your Helm charts have updates available
  • rbac-manager - Simplify the management of RBAC in your Kubernetes clusters

Or check out the full list

rbac-lookup's People

Contributors

dependabot-preview[bot] avatar dependabot[bot] avatar dnmgns avatar ivanfetch avatar lucasreed avatar mattkelly avatar nikopen avatar rbren avatar reactiveops-bot avatar robscott avatar sudermanjr avatar transient1 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nikopen arctiqteam ik-kubernetes mattkelly lemaral tdyn dnmgns leewalter engin scotty-c tanandy niklaushirt lucasreed gfk-kube tvalasek sunnepah muharihar aland-zhang ttushar18 jedi132000 gdzy1987 devopstoday11 kakakakakku clix-dev-llc marvel-works uakbr rasanjaya85 xrubick cyril-corbon ekmixon salmon5 franklinharry magnologan sagarchhatrala krouser oodog0126 akjava942 escerda iq-scm tachtech-engineering prakashshettysi

rbac-lookup's Issues

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

github.com/fairwindsops/rbac-lookup/cmd: cannot find module providing package github.com/fairwindsops/rbac-lookup/cmd

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

v0.8.1 does not run under bare ubi8/ubi

What happened?

Running in Docker container registry.access.redhat.com/ubi8/ubi (described here):

$ ls -l /usr/bin/rbac-lookup 
-rwxr-xr-x 1 root root 29999104 Feb 21 03:38 /usr/bin/rbac-lookup
$ /usr/bin/rbac-lookup
bash: /usr/bin/rbac-lookup: No such file or directory

This is almost certainly caused by enabing CGO in #213

What did you expect to happen?

$ rbac-lookup 
Error getting Kubernetes config: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

How can we reproduce this?

$ docker run --rm -it registry.access.redhat.com/ubi8/ubi bash
[root@758dbf441bb8 /]# curl -sSL https://github.com/FairwindsOps/rbac-lookup/releases/download/v0.8.1/rbac-lookup_0.8.1_Linux_x86_64.tar.gz | tar -xz
[root@758dbf441bb8 /]# ls -l ./rbac-lookup 
-rwxr-xr-x 1 root root 29999104 Feb 10 20:12 ./rbac-lookup
[root@758dbf441bb8 /]# ./rbac-lookup 
bash: ./rbac-lookup: No such file or directory
[root@758dbf441bb8 /]#

version

0.8.1

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

CGO=enabled requires dependent libraries to already be installed on the target machine. Obviously some library is missing in Red Hat.

Note that CGO was enabled in #213 to fix #206 but it did not, in fact, fix #206

Dependabot can't parse your go.mod

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: finding cloud.google.com/go v0.56.0
go: finding cloud.google.com/go/bigquery v1.4.0
go: finding cloud.google.com/go/datastore v1.1.0
go: finding cloud.google.com/go/pubsub v1.2.0
go: finding cloud.google.com/go/storage v1.6.0
go: finding dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9
go: finding github.com/Azure/go-autorest/autorest v0.9.0
go: finding github.com/Azure/go-autorest/autorest/adal v0.5.0
go: finding github.com/Azure/go-autorest/autorest/date v0.1.0
go: finding github.com/Azure/go-autorest/autorest/mocks v0.2.0
go: finding github.com/Azure/go-autorest/logger v0.1.0
go: finding github.com/Azure/go-autorest/tracing v0.5.0
go: finding github.com/BurntSushi/toml v0.3.1
go: finding github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802
go: finding github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
go: finding github.com/OneOfOne/xxhash v1.2.2
go: finding github.com/PuerkitoBio/purell v1.0.0
go: finding github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2
go: finding github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc
go: finding github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf
go: finding github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6
go: finding github.com/beorn7/perks v1.0.0
go: finding github.com/census-instrumentation/opencensus-proto v0.2.1
go: finding github.com/cespare/xxhash v1.1.0
go: finding github.com/chzyer/logex v1.1.10
go: finding github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
go: finding github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1
go: finding github.com/client9/misspell v0.3.4
go: finding github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f
go: finding github.com/coreos/bbolt v1.3.2
go: finding github.com/coreos/etcd v3.3.10+incompatible
go: finding github.com/coreos/go-semver v0.2.0
go: finding github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
go: finding github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f
go: finding github.com/cpuguy83/go-md2man/v2 v2.0.0
go: finding github.com/davecgh/go-spew v1.1.1
go: finding github.com/dgrijalva/jwt-go v3.2.0+incompatible
go: finding github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954
go: finding github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96
go: finding github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153
go: finding github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633
go: finding github.com/envoyproxy/go-control-plane v0.9.4
go: finding github.com/envoyproxy/protoc-gen-validate v0.1.0
go: finding github.com/evanphx/json-patch v4.2.0+incompatible
go: finding github.com/fsnotify/fsnotify v1.4.7
go: finding github.com/ghodss/yaml v1.0.0
go: finding github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1
go: finding github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4
go: finding github.com/go-kit/kit v0.8.0
go: finding github.com/go-logfmt/logfmt v0.4.0
go: finding github.com/go-logr/logr v0.1.0
go: finding github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1
go: finding github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9
go: finding github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501
go: finding github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87
go: finding github.com/go-stack/stack v1.8.0
go: finding github.com/gogo/protobuf v1.3.1
go: finding github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
go: finding github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
go: finding github.com/golang/mock v1.4.3
go: finding github.com/golang/protobuf v1.3.5
go: finding github.com/google/btree v1.0.0
go: finding github.com/google/go-cmp v0.4.0
go: finding github.com/google/gofuzz v1.1.0
go: finding github.com/google/martian v2.1.0+incompatible
go: finding github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3
go: finding github.com/google/renameio v0.1.0
go: finding github.com/google/uuid v1.1.1
go: finding github.com/googleapis/gax-go/v2 v2.0.5
go: finding github.com/googleapis/gnostic v0.1.0
go: finding github.com/gophercloud/gophercloud v0.1.0
go: finding github.com/gorilla/websocket v1.4.0
go: finding github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7
go: finding github.com/grpc-ecosystem/go-grpc-middleware v1.0.0
go: finding github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: finding github.com/grpc-ecosystem/grpc-gateway v1.9.0
go: finding github.com/hashicorp/golang-lru v0.5.1
go: finding github.com/hashicorp/hcl v1.0.0
go: finding github.com/hpcloud/tail v1.0.0
go: finding github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6
go: finding github.com/imdario/mergo v0.3.5
go: finding github.com/inconshreveable/mousetrap v1.0.0
go: finding github.com/jonboulle/clockwork v0.1.0
go: finding github.com/json-iterator/go v1.1.8
go: finding github.com/jstemmer/go-junit-report v0.9.1
go: finding github.com/julienschmidt/httprouter v1.2.0
go: finding github.com/kisielk/errcheck v1.2.0
go: finding github.com/kisielk/gotool v1.0.0
go: finding github.com/konsorten/go-windows-terminal-sequences v1.0.1
go: finding github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515
go: finding github.com/kr/pretty v0.1.0
go: finding github.com/kr/pty v1.1.1
go: finding github.com/kr/text v0.1.0
go: finding github.com/magiconair/properties v1.8.0
go: finding github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a
go: finding github.com/matttproud/golang_protobuf_extensions v1.0.1
go: finding github.com/mitchellh/go-homedir v1.1.0
go: finding github.com/mitchellh/mapstructure v1.1.2
go: finding github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: finding github.com/modern-go/reflect2 v1.0.1
go: finding github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d
go: finding github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223
go: finding github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: finding github.com/oklog/ulid v1.3.1
go: finding github.com/onsi/ginkgo v1.11.0
go: finding github.com/onsi/gomega v1.7.0
go: finding github.com/pelletier/go-toml v1.2.0
go: finding github.com/peterbourgon/diskv v2.0.1+incompatible
go: finding github.com/pkg/errors v0.8.0
go: finding github.com/pmezard/go-difflib v1.0.0
go: finding github.com/prometheus/client_golang v0.9.3
go: finding github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4
go: finding github.com/prometheus/common v0.4.0
go: finding github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084
go: finding github.com/prometheus/tsdb v0.7.1
go: finding github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af
go: finding github.com/rogpeppe/go-internal v1.3.0
go: finding github.com/russross/blackfriday/v2 v2.0.1
go: finding github.com/shurcooL/sanitized_anchor_name v1.0.0
go: finding github.com/sirupsen/logrus v1.2.0
go: finding github.com/soheilhy/cmux v0.1.4
go: finding github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72
go: finding github.com/spf13/afero v1.2.2
go: finding github.com/spf13/cast v1.3.0
go: finding github.com/spf13/cobra v0.0.7
go: finding github.com/spf13/jwalterweatherman v1.0.0
go: finding github.com/spf13/pflag v1.0.5
go: finding github.com/spf13/viper v1.4.0
go: finding github.com/stretchr/objx v0.1.1
go: finding github.com/stretchr/testify v1.6.1
go: finding github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5
go: finding github.com/ugorji/go v1.1.4
go: finding github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2
go: finding github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77
go: finding github.com/yuin/goldmark v1.1.25
go: finding go.etcd.io/bbolt v1.3.2
go: finding go.opencensus.io v0.22.3
go: finding go.uber.org/atomic v1.4.0
go: finding go.uber.org/multierr v1.1.0
go: finding go.uber.org/zap v1.10.0
go: finding golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
go: finding golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6
go: finding golang.org/x/image v0.0.0-20190802002840-cff245a6509b
go: finding golang.org/x/lint v0.0.0-20200302205851-738671d3881b
go: finding golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028
go: finding golang.org/x/mod v0.2.0
go: finding golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e
go: finding golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
go: finding golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
go: finding golang.org/x/sys v0.0.0-20200331124033-c3d80250170d
go: finding golang.org/x/text v0.3.2
go: finding golang.org/x/time v0.0.0-20191024005414-555d28b269f0
go: finding golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4
go: finding golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
go: finding google.golang.org/api v0.28.0
go: finding google.golang.org/appengine v1.6.5
go: finding google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940
go: finding google.golang.org/grpc v1.28.0
go: finding gopkg.in/alecthomas/kingpin.v2 v2.2.6
go: finding gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127
go: finding gopkg.in/errgo.v2 v2.1.0
go: finding gopkg.in/fsnotify.v1 v1.4.7
go: finding gopkg.in/inf.v0 v0.9.1
go: finding gopkg.in/resty.v1 v1.12.0
go: finding gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: finding gopkg.in/yaml.v2 v2.2.8
go: finding gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c
go: finding honnef.co/go/tools v0.0.1-2020.1.3
go: finding k8s.io/api v0.18.4
go: finding k8s.io/apimachinery v0.18.4
go: finding k8s.io/client-go v0.18.4
go: finding k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6
go: finding k8s.io/klog v1.0.0
go: finding k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6
go: finding k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89
go: finding rsc.io/binaryregexp v0.2.0
go: finding rsc.io/quote/v3 v3.1.0
go: finding rsc.io/sampler v1.3.0
go: finding sigs.k8s.io/structured-merge-diff/v3 v3.0.0
go: finding sigs.k8s.io/yaml v1.2.0
go list -m: github.com/xordataexchange/[email protected]: invalid pseudo-version: git ls-remote -q https://github.com/xordataexchange/crypt in /opt/go/gopath/pkg/mod/cache/vcs/d29aab0f2290694a8954e7fb32dffd4c47eb9d61dbe1217bcc89ef3a6e89f32d: exit status 128:
	fatal: could not read Username for 'https://github.com': terminal prompts disabled
Confirm the import path was entered correctly.
If this is a private repository, see https://golang.org/doc/faq#git_https for additional information.

View the update logs.

should serviceaccounts be reported even if they don't exist?

TLDR; the service accounts reported as having access may not actually exist. BUT, that might be ok.

Here's a situation to back up my findings:

  • RBAC ClusterRoleBinding gives access to two service accounts:
    • helm-system:tiller
    • kube-system:tiller
kubectl get clusterrolebinding tiller -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1beta1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"creationTimestamp":null,"name":"tiller"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cluster-admin"},"subjects":[{"kind":"ServiceAccount","name":"tiller","namespace":"helm-system"},{"kind":"ServiceAccount","name":"tiller","namespace":"kube-system"}]}
  creationTimestamp: "2019-08-09T15:16:49Z"
  name: tiller
  resourceVersion: "7565"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/tiller
  uid: b577bb52-bab8-11e9-b453-0a5bfa843bc0
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: helm-system
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
  • helm-system:tiller exists:
kubectl get sa tiller -n helm-system
NAME     SECRETS   AGE
tiller   1         57d
  • kube-system:tiller does not exist:

kubectl get sa tiller -n kube-system
Error from server (NotFound): serviceaccounts "tiller" not found
  • rbac-lookup reports both:
rbac-lookup -o wide tiller
SUBJECT                              SCOPE          ROLE                        SOURCE
ServiceAccount/helm-system:tiller    cluster-wide   ClusterRole/cluster-admin   ClusterRoleBinding/tiller
ServiceAccount/kube-system:tiller    cluster-wide   ClusterRole/cluster-admin   ClusterRoleBinding/tiller

A part of me thinks this is ok because if kube-system:tiller is ever created it will gain this access. It may also be good to include this output so an administrator can go cleanup the clusterrolebinding.

Another part of me thinks this output is not helpful because it is not reporting the exact state of what's present in the cluster.

Wanted to open this issue for discussion and see what other folks think.

permissions are too harsh IMO

I can't always list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
and there is no namespace toggle I can set to limit it.

this was my hurdle in using the tool

my use case was finding connected roles and clusterroles connected to a serviceaccount

GKE: Error 403: The caller does not have permission, forbidden

Trying to run rbac-lookup with the --gke flag produces:
Error loading RBAC Bindings: googleapi: Error 403: The caller does not have permission, forbidden

The problem happens with multiples configurations of clusters:


gcloud container clusters create --num-nodes=1 --disk-size=10Gi --machine-type=g1-small --scopes compute-rw,storage-ro,gke-default c1

gcloud container clusters update --enable-basic-auth c1

gcloud container clusters create --num-nodes=1 --disk-size=10Gi --machine-type=g1-small --node-version=1.12.5-gke.10 --cluster-version=1.12.5-gke.10 --scopes compute-rw,storage-ro,gke-default c1

The problem occurs even using a service account with the Owner role:

gcloud container clusters create --num-nodes=1 --disk-size=10Gi --machine-type=g1-small --service-account=$NODE_SA_EMAIL --node-version=1.12.5-gke.10 --cluster-version=1.12.5-gke.10 c1

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

github.com/fairwindsops/rbac-lookup/cmd: cannot find module providing package github.com/fairwindsops/rbac-lookup/cmd

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

github.com/fairwindsops/rbac-lookup/cmd: cannot find module providing package github.com/fairwindsops/rbac-lookup/cmd

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

[FEAT]: make `lookup` directory a public pkg to be imported in golang projects

Is your feature request related to a problem? Please describe.
Thanks a lot for building this amazing project! I would love to give you suggestion if you
can make available lookup as a public pkg that can be imported in other golang projects to use
lister facility of getting Roles and Cluster Roles. An example use-case is this
issue where we intend to use it to solve it

Describe the solution you'd like
I would like lookup directory as a public pkg (or at least parts of it so that we can import it and re-use it)

Describe alternatives you've considered
An alternative is to use the portions of existing code to build something like lookup package to get Roles and ClusterRoles but I think that might not be a good practice, what do you suggest?

Additional context
None

Warning message on Brew MacOS

Good morning guys!

First of all, thanks for the cool tool, really useful, I appreciate so much your shared work ๐Ÿ˜‰ .

The thing here is since I added your Tap to my Brew, any time I do any action with Brew (update, install, etc.) I get this warning:

Warning: Calling bottle :unneeded is deprecated! There is no replacement. Please report this issue to the fairwindsops/tap tap (not Homebrew/brew or Homebrew/core): /usr/local/Homebrew/Library/Taps/fairwindsops/homebrew-tap/Formula/rbac-lookup.rb:10

I'm using a Macbook Pro (intel based) and now I'm in MacOS Monterey 12.2 but this was happening also with Big Sur 11.X.

It's just a warning, so everything works fine but it would be nice if we can get rid of it.

Once again, thanks ๐Ÿ™‡ !

DNS Resolution does not work when using VPN

What happened?

after the first install and trying to connect to a cluster via VPN, I do get an error:

dial tcp: lookup <MYCLUSTER> on <MY_LOCAL_DNS_SERVER>:53: no such host

What did you expect to happen?

I expected rbac-lookup to connect via VPN to my kubernetes cluster as kubectl and ping

How can we reproduce this?

on a OSX system, connect to a VPN and try to use rbac-lookup to connect to a private kubernetes cluster through this VPN.

version

version 0.7.1 Commit:98a09819f7b91ba2c22da08452fa5d2266b796ee

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

This issue appears to be connected to the Compiler flag CGO_ENABLED=0 as this will tell go (<1.13) to use the go-internal resolver. But this resolver relies on /etc/resolv.conf instead system in place on OSX.
Using VPN with split routing (only traffic to the "private" hostnames are routed via VPN) will not update this file.

You can check the different DNS server in place with scutil --dns

See golang/go#12524 and https://docwhat.org/macos-dns-and-go for details (and a possible work-around for end users).

Review and make changes to CONTRIBUTING.md

Some instructions in the CONTRIBUTING doc don't work.

  • make commands aren't working for me locally
  • The link to sign the CLA is broken.

Go through the instructions in this doc, and if they don't work, figure out what does and make changes as needed.

Add support for --kubeconfig parameter to specify a config file

Description:
this tool expects and can only use the default configuration located at $HOME/.kube/config

Request:
Enhance the tool to follow the kubect CLIl-based approach of supporting a --kubeconfig parameter to specify an alternative config file. This allows seamless support for switching among multiple configuration files.

Service Account Namespace

Hi guys, awesome tool!

When running the tool, I notice that for service accounts it doesn't specify which namespace the service account lives in. This can cause confusion when you have service accounts in different namespaces sharing a name, especially if RBAC permissions are granted across namespace. So I was wondering whether it would be possible to update the output to include this information?

Dependabot can't resolve your Go dependency files

Dependabot can't resolve your Go dependency files.

As a result, Dependabot couldn't update your dependencies.

The error Dependabot encountered was:

dmitri.shuralyov.com/gpu/[email protected]: unrecognized import path "dmitri.shuralyov.com/gpu/mtl" (https fetch: Get https://dmitri.shuralyov.com/gpu/mtl?go-get=1: EOF)

If you think the above is an error on Dependabot's side please don't hesitate to get in touch - we'll do whatever we can to fix it.

View the update logs.

Missing Rolebindings from lookup

I gave a service account circleci in the namespace helm-system the rolebinding to give it cluster-admin in the development namespace, and rbac-lookup doesn't seem to detect this.

โ””โ”€๎‚ฐ k get rolebinding rbac-definition-circleci-cluster-admin -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2019-12-03T18:19:04Z"
  labels:
    rbac-manager: reactiveops
  name: rbac-definition-circleci-cluster-admin
  namespace: development
  ownerReferences:
  - apiVersion: rbacmanager.reactiveops.io/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: RBACDefinition
    name: rbac-definition
    uid: 4919eaca-d8ef-4382-8cbb-2cdbe56f9a47
  resourceVersion: "89419"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/development/rolebindings/rbac-definition-circleci-cluster-admin
  uid: ce79f178-d006-4756-96cb-638ebdc1f9d3
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: circleci
  namespace: helm-system
 ~/azure-networking ๎‚ฐ โŽˆ  sudermanjr-test development ๎‚ฐ

โ””โ”€๎‚ฐ rbac-lookup circleci -owide
SUBJECT                                SCOPE          ROLE                   SOURCE
ServiceAccount/helm-system:circleci    cluster-wide   ClusterRole/circleci   ClusterRoleBinding/rbac-definition-circleci-circleci

startup causes 'panic: No Auth Provider found for name "oidc"'

stacktrace:

goroutine 1 [running]:
github.com/reactiveops/rbac-lookup/lookup.List(0x247dbc8, 0x0, 0x0, 0x0, 0x0, 0x0)
/go/src/github.com/reactiveops/rbac-lookup/lookup/list.go:42 +0x25c
github.com/reactiveops/rbac-lookup/cmd.glob..func1(0x2456c60, 0x247dbc8, 0x0, 0x0)
/go/src/github.com/reactiveops/rbac-lookup/cmd/root.go:38 +0xee
github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra.(*Command).execute(0x2456c60, 0xc4200a4190, 0x0, 0x0, 0x2456c60, 0xc4200a4190)
/go/src/github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra/command.go:766 +0x2c1
github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x2456c60, 0x2456db0, 0xc420157f40, 0x1a91fbe)
/go/src/github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra/command.go:852 +0x30a
github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra.(*Command).Execute(0x2456c60, 0xc4200a2058, 0x0)
/go/src/github.com/reactiveops/rbac-lookup/vendor/github.com/spf13/cobra/command.go:800 +0x2b
github.com/reactiveops/rbac-lookup/cmd.Execute()
/go/src/github.com/reactiveops/rbac-lookup/cmd/root.go:49 +0x2d
main.main()
/go/src/github.com/reactiveops/rbac-lookup/main.go:22 +0x20

Having issues with kubectl 1.23 client version

What happened?

Installed rbac-lookup with krew and which running , was having issue as below

kubectl rbac-lookup
Error generating Kubernetes clientset from kubeconfig: exec plugin: invalid apiVersion "client.authentication.k8s.io/v1alpha1"

I am having kubectl version as

kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean", BuildDate:"2022-04-14T08:49:13Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21+", GitVersion:"v1.21.14-eks-fb459a0", GitCommit:"b07006b2e59857b13fe5057a956e86225f0e82b7", GitTreeState:"clean", BuildDate:"2022-10-24T20:32:54Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

What did you expect to happen?

Work normally as expected, not able to run any
kubectl rbac-lookup command

Does it need kubectl client higher verison. If so, is there any document says the compatibility matrix with kubectl version?

How can we reproduce this?

Have kubectl client 1.23.6

Version

latest

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

Include serviceaccount namespace

TL;DR: Service accounts are namespaced, they are not like users and groups which are not namespaced. Currently the SUBJECT field in output works fine for users and groups but not for service accounts. For service accounts it only has "ServiceAccount/" which should be something like "ServiceAccount//".

As an example, in our clusters we have a per-namespace "tiller" serviceaccount and each with different set of bindings. They also have rolebindings in other namespaces.

Here is an example case:
We have a tiller service account in dev, qa and demo namespaces. Qa and demo also has explicit access in a monitoring namespace.

Currently when we run rbac-lookup tiller -o wide it prints out RoleBindings for tiller serviceaccounts in any namespace, and its not possible to distinguish which service account has which role.

Example output (mind duplicate line at the beginning, thats not a copy paste mistake):

$ rbac-lookup tiller -o wide
SUBJECT                  SCOPE                    ROLE                              SOURCE
ServiceAccount/tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/tiller    dev                      ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/tiller    dev                      ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/tiller    qa                       ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/tiller    qa                       ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator

Here is what i'd expect to see:

$ rbac-lookup tiller -o wide
SUBJECT                       SCOPE                    ROLE                              SOURCE
ServiceAccount/qa:tiller      application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/demo:tiller    application-monitoring   Role/application-monitoring       RoleBinding/tiller-can-application-monitoring
ServiceAccount/dev:tiller     dev                      ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/dev:tiller     dev                      ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/qa:tiller      qa                       ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/qa:tiller      qa                       ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator
ServiceAccount/demo:tiller    demo                     ClusterRole/admin                 RoleBinding/tiller-can-admin
ServiceAccount/demo:tiller    demo                     ClusterRole/prometheus-operator   RoleBinding/tiller-can-prometheus-operator

How to list all subjects' role/cluster-role and role-bindings/cluster-role-bindings not matter the subject name?

Hello,
In your Usage documentation (https://rbac-lookup.docs.fairwinds.com/usage/) it is given an example of query:

rbac-lookup rob

SUBJECT                   SCOPE             ROLE
[email protected]           cluster-wide      ClusterRole/view
[email protected]           nginx-ingress     ClusterRole/edit

Would it be possible to list all subjects' role/cluster-role and role-bindings/cluster-role-bindings not matter the subject name? Is there something like rbac-lookup -A .

In my case I used rbac-lookup u -owide because I said "u" is contained in "group", "serviceaccount" and "user". Sample of the output in my case:

SUBJECT                                                          SCOPE             ROLE                                                               SOURCE                                                                      
ServiceAccount/amazon-cloudwatch:cloudwatch-agent                cluster-wide      ClusterRole/cloudwatch-agent-role                                  ClusterRoleBinding/cloudwatch-agent-role-binding  
Group/eks-cluster-read-only-group                                cluster-wide      ClusterRole/eks-readonly-cluster-role                              ClusterRoleBinding/eks-security-audit-cluster-role-binding
User/eks:cloudwatch-agent                                        cluster-wide      ClusterRole/eks:cloudwatch-agent-role                              ClusterRoleBinding/eks:cloudwatch-agent-role-binding

Update:
I have just used rbac-lookup with no options/flags. The output looks like this:

rbac-lookup
SUBJECT                                           SCOPE             ROLE
amazon-cloudwatch:cloudwatch-agent                cluster-wide      ClusterRole/cloudwatch-agent-role
amazon-cloudwatch:cwagent-prometheus              cluster-wide      ClusterRole/cwagent-prometheus-role
amazon-cloudwatch:fluentd                         cluster-wide      ClusterRole/fluentd-role

But in this case the kind of the subject does not appear in the output before the subject name.

CLOUDSDK_CORE_PROJECT env var

Hi guys,

I use GKE, so I tried to run the command rbac-lookup --output wide --gke but I received an error

Could not load IAM policy for ceiba-platform-prod project from parsed kubeconfig
No project ID found in default GCP credentials
Error loading RBAC Bindings: Error loading IAM policies for GKE, try setting CLOUDSDK_CORE_PROJECT environment variable

I tried to set CLOUDSDK_CORE_PROJECT = my-cool-project and I receive a different error:

Could not load IAM policy for my-cool-project project from parsed kubeconfig
No project ID found in default GCP credentials
Could not load IAM policy for my-cool-project project from CLOUDSDK_CORE_PROJECT environment variable
Error loading RBAC Bindings: Post https://cloudresourcemanager.googleapis.com/v1/projects/my-cool-project:getIamPolicy?alt=json&prettyPrint=false: oauth2: cannot fetch token: 400 Bad Request
Response: {
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

I tried to look for CLOUDSDK_CORE_PROJECT in your doc or in Gcloud SDK doc, but I don't find any info about how to set this environment variable.

Can you please add such info to the README or in https://rbac-lookup.docs.fairwinds.com/gke/ ?

Thanks :)

case-insensitive import collision

Seem to be getting this error when running make.

can't load package: package github.com/FairwindsOps/rbac-lookup/cmd: case-insensitive import collision: "github.com/FairwindsOps/rbac-lookup/cmd" and "github.com/fairwindsops/rbac-lookup/cmd"

Compile multi-arch

kubectl krew search rbac
NAME DESCRIPTION INSTALLED
rbac-lookup Reverse lookup for RBAC unavailable on windows

kubectl krew install rbac-lookup
Updated the local copy of plugin index.
Installing plugin: rbac-lookup
W0226 09:53:59.604225 27940 install.go:164] failed to install plugin "rbac-lookup": plugin "rbac-lookup" does not offer installation for
this platform
F0226 09:53:59.748225 27940 root.go:79] failed to install some plugins: [rbac-lookup]: plugin "rbac-lookup" does not offer installation for this platform
Error: exit status 255

Display permission details

Currently this tool displays roles (incl. cluster roles), but not what actual permissions are granted from them. To see what I mean, try something like

kubectl rbac-lookup $account -o role | tail +2 | awk '{print $3}' | xargs kubectl describe

but mentally take the union of those permissions when there are overlapping roles (or cluster roles).

I would like to see something that would display columns with resources, verbs, etc. like kubectl describe provides, as well as columns displaying the role(s) and binding(s) that contributed to those permissions, so that I could see all the permissions available to a given service account or user in one table.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.