Add Json output for the 'rbac-tool lookup' command
royharoush opened this issue · 5 comments
royharoush commented
What would you like to be added:
Json output, preferably in the following structure:
{
"User": "User",
"authorizedFor":
{
"objectName":"objectName",
"objectType":"objectType",
"Permission":"Permisson"
}
}
Why is this needed:
So it can be used in other systems to reflect permissions of users.
gadinaor commented
@royharoush - I looked into this and happy to hear your thoughts:
CLI examples:
Examples:
# Search All Service Accounts
rbac-tool policy-rules -e '.*'
# Search All Service Accounts that contain myname
rbac-tool policy-rules -e '.*myname.*'
# Lookup System Accounts (all accounts that start with system: )
rbac-tool policy-rules -e '^system:.*'
# Lookup all accounts that DO NOT start with system: )
rbac-tool policy-rules -ne '^system:.*'Additional jmespath filtering is straight forward - for example who can read secrets etc....
[? contains(@.allowedTo[].verbs[], 'get')] | [? contains(@.allowedTo[].apiGroups[], 'core')]
Sample JSON output:
[
{
"kind": "ServiceAccount",
"name": "kube-scheduler",
"namespace": "kube-system",
"allowedTo": [
{
"namespace": "kube-system",
"verb": "watch",
"apiGroup": "core",
"resource": "configmaps"
},
{
"namespace": "kube-system",
"verb": "get",
"apiGroup": "core",
"resource": "configmaps",
"resourceNames": [
"kube-scheduler"
]
},
{
"namespace": "kube-system",
"verb": "update",
"apiGroup": "core",
"resource": "configmaps",
"resourceNames": [
"kube-scheduler"
]
}
]
},
{
"kind": "ServiceAccount",
"name": "job-controller",
"namespace": "kube-system",
"allowedTo": [
{
"namespace": "*",
"verb": "get",
"apiGroup": "batch",
"resource": "jobs"
},
{
"namespace": "*",
"verb": "list",
"apiGroup": "batch",
"resource": "jobs"
},
{
"namespace": "*",
"verb": "update",
"apiGroup": "batch",
"resource": "jobs"
},
{
"namespace": "*",
"verb": "watch",
"apiGroup": "batch",
"resource": "jobs"
},
{
"namespace": "*",
"verb": "update",
"apiGroup": "batch",
"resource": "jobs/status"
},
{
"namespace": "*",
"verb": "update",
"apiGroup": "batch",
"resource": "jobs/finalizers"
},
{
"namespace": "*",
"verb": "create",
"apiGroup": "core",
"resource": "pods"
},
{
"namespace": "*",
"verb": "delete",
"apiGroup": "core",
"resource": "pods"
},
{
"namespace": "*",
"verb": "list",
"apiGroup": "core",
"resource": "pods"
},
{
"namespace": "*",
"verb": "patch",
"apiGroup": "core",
"resource": "pods"
},
{
"namespace": "*",
"verb": "watch",
"apiGroup": "core",
"resource": "pods"
},
{
"namespace": "*",
"verb": "create",
"apiGroup": "core",
"resource": "events"
},
{
"namespace": "*",
"verb": "create",
"apiGroup": "events.k8s.io",
"resource": "events"
},
{
"namespace": "*",
"verb": "patch",
"apiGroup": "core",
"resource": "events"
},
{
"namespace": "*",
"verb": "patch",
"apiGroup": "events.k8s.io",
"resource": "events"
},
{
"namespace": "*",
"verb": "update",
"apiGroup": "core",
"resource": "events"
},
{
"namespace": "*",
"verb": "update",
"apiGroup": "events.k8s.io",
"resource": "events"
}
]
}
]royharoush commented
ill give it a look, thanks !
royharoush commented
is it already in releases or do i have to build it from source ?
gadinaor commented
is it already in releases or do i have to build it from source ?
https://github.com/alcideio/rbac-tool/releases/tag/v0.8.0-rc1
gadinaor commented
v0.8.0 released