← 返回命令列表

Linux command

rbac-tool 命令

文本

复制后可按需替换文件名、目录或参数。

常用示例

Show who can perform an action on a resource

rbac-tool who-can [get] [pods]

Visualize RBAC as HTML

rbac-tool viz --outformat html > [rbac.html]

Look up roles assigned to a specific subject

rbac-tool lookup -e [user@example.com]

List policy rules for a subject

rbac-tool policy-rules -e [system:serviceaccount:default:.*]

Analyze RBAC for risky configurations

rbac-tool analysis

Generate a ClusterRole from audit events

rbac-tool auditgen -f [audit.log]

Show current user's permissions

rbac-tool whoami

说明

rbac-tool analyzes and visualizes Kubernetes RBAC (Role-Based Access Control) configurations. It helps administrators understand who can do what, identify over-privileged subjects, generate least-privilege policies, and visualize the role/subject graph. The `viz` command produces a Graphviz DOT graph or an interactive HTML page. `policy-rules` and `lookup` accept regular expressions, making it easy to query large clusters.

参数

--outformat _FORMAT_
Output format. For viz: `dot` or `html`. For data commands: `json`, `yaml`, `table`.
-e _REGEX_
Subject filter as a regular expression (used with lookup, policy-rules).
--config _FILE_
Custom analysis ruleset file (used with analysis).
--cluster-context _NAME_
kubeconfig context to use.
--exclude-namespaces _LIST_
Comma-separated namespaces to exclude from visualization.
--generated-type _TYPE_
Role or ClusterRole (used with generate).
--allowed-verbs _LIST_
Verbs to include in generated role.
--allowed-groups _LIST_
API groups to include in generated role.
--deny-resources _LIST_
Resources to exclude from generated role.
--for-groups _LIST_
API groups to include with the show command.
-f _PATH_|_URL_
Source file, directory, or HTTP URL of audit events (used with auditgen).

FAQ

What is the rbac-tool command used for?

rbac-tool analyzes and visualizes Kubernetes RBAC (Role-Based Access Control) configurations. It helps administrators understand who can do what, identify over-privileged subjects, generate least-privilege policies, and visualize the role/subject graph. The `viz` command produces a Graphviz DOT graph or an interactive HTML page. `policy-rules` and `lookup` accept regular expressions, making it easy to query large clusters.

How do I run a basic rbac-tool example?

Run `rbac-tool who-can [get] [pods]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.

What does --outformat _FORMAT_ do in rbac-tool?

Output format. For viz: `dot` or `html`. For data commands: `json`, `yaml`, `table`.