Kubernetes RBAC Extractor

A CLI tool generates Kubernetes RBAC Role/ClusterRole from K8s resources (manifests), applying the principle of least privilege (PoLP) for restricted security access.

Why?

For some use cases when a tight security access is required, users should only have access to the resources they need to interact with.

kube-rbac-extractor was created as no other tool that generates the Kubernetes RBAC Role/ClusterRole from K8s resources (manifests) without interacting with the K8s API server.

For example, you can use kube-rbac-extractor to limit the user's access to the kinds used in a specific Helm chart.

Installation

Download pre-compiled binary from GitHub releases page, or use Docker image:

ghcr.io/devopshivehq/kube-rbac-extractor:latest

Usage

Usage of kube-rbac-extractor:
  --access string
    	Access type: read, write, admin (default "read")
  --cluster
    	Generate ClusterRole instead of Role
  --extra-schema string
    	Path to extra kinds RBAC schema JSON file for custom resources
  --name string
    	Metadata name for the Role/ClusterRole (default "access")
  --namespace string
    	Namespace for Role (ignored for ClusterRole)
  --resource-names
    	Include resourceNames from manifest metadata.name in the rules
  --role-binding-subjects string
    	Generate RoleBinding/ClusterRoleBinding using comma-separated list of subjects to bind the role to
      (e.g., User:alice,Group:devs,ServiceAccount:ns:sa)

Example

Run:

helm template dev oci://registry-1.docker.io/bitnamicharts/postgresql | 
  kube-rbac-extractor --access read --namespace dev --name developer-access

Output:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer-access
  namespace: dev
rules:
  - apiGroups:
    - networking.k8s.io
    resources:
    - networkpolicies
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - policy
    resources:
    - poddisruptionbudgets
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - serviceaccounts
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - secrets
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - ""
    resources:
    - services
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - apps
    resources:
    - statefulsets
    verbs:
    - get
    - list
    - watch

License

Merger is an open-source software licensed under the MIT license. For more details, check the LICENSE file.