rbac-cluster-role

command module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2020 License: Apache-2.0 Imports: 5 Imported by: 0

README

Go

rbac-minimize

Generate Role or ClusterRole resource while reducing the use of wildcards.

rbac-generator read from the Kubernetes discovery API the available API Groups and resources, and based on the command line options, generate an explicit Role/ClusterRole that avoid wildcards

Running

rbac-minimizer  gen --generated-type=Role --deny-resources=secrets.,ingresses.extensions --allowed-verbs=get,list --allowed-groups=,apps,networking.k8s.io

Would yield:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: custom-role
  namespace: mynamespace
rules:
- apiGroups:
  - ""
  resources:
  - resourcequotas
  - pods
  - bindings
  - replicationcontrollers
  - podtemplates
  - services
  - limitranges
  - serviceaccounts
  - configmaps
  - events
  - componentstatuses
  - namespaces
  - endpoints
  - nodes
  - persistentvolumes
  - persistentvolumeclaims
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - '*'
  verbs:
  - get
  - list

###Examples:

  • Generate a Role with read-only (get,list) excluding secrets (core group) and ingresses (extensions group)
rbac-minimizer gen --generated-type Role --deny-resources=secrets.,ingresses.extensions --allowed-verbs=get,list
  • Generate a Role with read-only (get,list) excluding secrets (core group) from core group, admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io
rbac-minimizer gen --generated-type ClusterRole --deny-resources=secrets., --allowed-verbs=get,list  --allowed-groups=,admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io

Command Line Reference

Usage:
  rbac-minimize generate [flags]

Aliases:
  generate, gen

Flags:
      --allowed-groups strings   Comma separated list of API groups we would like to allow '*' (default [*])
      --allowed-verbs strings    Comma separated list of verbs to include. To include all use '* (default [*])
  -c, --cluster-context string   Cluster.use 'kubectl config get-contexts' to list available contexts
      --deny-resources strings   Comma separated list of resource.group
  -t, --generated-type string    Role or ClusteRole (default "ClusterRole")
  -h, --help                     help for generate

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.