RBAC Auditing Workflow

Advanced15 min

Audit Role-Based Access Control (RBAC) permissions to identify overly permissive roles and verify least-privilege access.

Prerequisites

-kubectl configured
-Cluster admin access

Steps

List all ClusterRoles and their rules

View all cluster-level roles and what permissions they grant.

$ kubectl get clusterroles -o custom-columns='NAME:.metadata.name,RULES:.rules[*].verbs'

Check what a specific user or service account can do

Test whether a subject has permission to perform specific actions.

$ kubectl auth can-i --list --as=system:serviceaccount:default:my-sa

Use --as to impersonate any user or service account to audit their effective permissions.

Find all RoleBindings for a specific subject

See which roles are bound to a specific user or service account.

$ kubectl get rolebindings,clusterrolebindings --all-namespaces -o json | jq -r '.items[] | select(.subjects[]?.name=="my-sa") | .metadata.name + " (" + .metadata.namespace + ")"'

Identify cluster-admin bindings

Find all subjects that have cluster-admin access, which should be minimized.

$ kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name=="cluster-admin") | .metadata.name + ": " + (.subjects[]? | .kind + "/" + .name)'

Any subject with cluster-admin has full unrestricted access. Minimize these bindings.

Test a specific permission

Check if the current user can perform a specific action.

$ kubectl auth can-i create deployments --namespace=production

Full Script

full-script.sh

#!/bin/bash
# RBAC Auditing Workflow
set -euo pipefail

echo "=== Cluster-Admin Bindings ==="
kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name=="cluster-admin") | .metadata.name + ": " + (.subjects[]? | .kind + "/" + .name)' 2>/dev/null

echo ""
echo "=== Service Accounts with Secrets ==="
kubectl get serviceaccounts --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,SECRETS:.secrets[*].name' | head -20

echo ""
echo "=== Current User Permissions ==="
kubectl auth can-i --list | head -20

echo ""
echo "=== Audit Commands ==="
echo "Check user:    kubectl auth can-i --list --as=<user>"
echo "Check SA:      kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>"
echo "Find bindings: kubectl get rolebindings,clusterrolebindings --all-namespaces"

FAQ

Discussion

Loading comments...

#!/bin/bash # RBAC Auditing Workflow set -euo pipefail echo "=== Cluster-Admin Bindings ===" kubectl get clusterrolebindings -o json | jq -r '.items[] | select(.roleRef.name=="cluster-admin") | .metadata.name + ": " + (.subjects[]? | .kind + "/" + .name)' 2>/dev/null echo "" echo "=== Service Accounts with Secrets ===" kubectl get serviceaccounts --all-namespaces -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,SECRETS:.secrets[*].name' | head -20 echo "" echo "=== Current User Permissions ===" kubectl auth can-i --list | head -20 echo "" echo "=== Audit Commands ===" echo "Check user: kubectl auth can-i --list --as=<user>" echo "Check SA: kubectl auth can-i --list --as=system:serviceaccount:<ns>:<sa>" echo "Find bindings: kubectl get rolebindings,clusterrolebindings --all-namespaces"