59

GitHub - mhausenblas/rback: RBAC in Kubernetes visualizer

 4 years ago
source link: https://github.com/mhausenblas/rback
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

README.md

rback

A simple "RBAC in Kubernetes" visualizer. No matter how complex the setup, rback queries all RBAC related information of an Kubernetes cluster in constant time and generates a graph representation of service accounts, (cluster) roles, and the respective access rules in dot format.

For example, here is an Amazon EKS cluster as seen by rback:

EKS cluster

Another example would be a local K3S cluster:

K3S cluster

Install

rback depends on you having access to a Kubernetes cluster, either in the cloud (like Amazon EKS) or locally (k3s, kind, Minikube, Docker for Desktop) as well as kubectl installed and configured, locally.

To install it for macOS, do:

$ curl -sL https://github.com/mhausenblas/rback/releases/download/v0.1.0/macos_rback -o rback
$ chmod +x rback && sudo mv rback /usr/local/bin

To install it for Linux, do:

$ curl -sL https://github.com/mhausenblas/rback/releases/download/v0.1.0/linux_rback -o rback
$ chmod +x rback && sudo mv rback /usr/local/bin

You can also build it from source, with Go 1.12 like so:

$ git clone https://github.com/mhausenblas/rback.git && cd rback
$ go build

Usage

Run rback locally against the target cluster and store its output in a .dot file like shown in the following:

$ rback > result.dot

Now that you have result.dot, you can render the graph either online or locally.

Render online

There are plenty of Graphviz (dot) online visualization tools available, for example, use magjac.com/graphviz-visual-editor/ for interaction or the simpler dreampuf.github.io/GraphvizOnline. Head over there and paste the output of rback into it.

Render locally

Install Graphviz, for example, on macOS you can do brew install graphviz. Then you can do the following (on macOS):

$ rback | dot -Tpng  > /tmp/rback.png && open /tmp/rback.png

Background

How it works is that rback issues the following five queries by shelling out to kubectl:

kubectl get sa --all-namespaces --output json
kubectl get roles --all-namespaces --output json
kubectl get rolebindings --all-namespaces --output json
kubectl get clusterroles --output json
kubectl get clusterrolebindings --output json

Then, based on this information, the graphs are created using the github.com/emicklei/dot package.


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK