rbac-cluster-role

command module

v0.1.1 Latest Latest Go to latest Published: Feb 28, 2020 License: Apache-2.0 Imports: 5 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gadinaor/rbac-cluster-role

README ¶

rbac-minimize

Generate Role or ClusterRole resource while reducing the use of wildcards.

rbac-generator read from the Kubernetes discovery API the available API Groups and resources, and based on the command line options, generate an explicit Role/ClusterRole that avoid wildcards

Running

rbac-minimizer  gen --generated-type=Role --deny-resources=secrets.,ingresses.extensions --allowed-verbs=get,list --allowed-groups=,apps,networking.k8s.io

Would yield:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: custom-role
  namespace: mynamespace
rules:
- apiGroups:
  - ""
  resources:
  - resourcequotas
  - pods
  - bindings
  - replicationcontrollers
  - podtemplates
  - services
  - limitranges
  - serviceaccounts
  - configmaps
  - events
  - componentstatuses
  - namespaces
  - endpoints
  - nodes
  - persistentvolumes
  - persistentvolumeclaims
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - '*'
  verbs:
  - get
  - list

###Examples:

Generate a Role with read-only (get,list) excluding secrets (core group) and ingresses (extensions group)

rbac-minimizer gen --generated-type Role --deny-resources=secrets.,ingresses.extensions --allowed-verbs=get,list

Generate a Role with read-only (get,list) excluding secrets (core group) from core group, admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io

rbac-minimizer gen --generated-type ClusterRole --deny-resources=secrets., --allowed-verbs=get,list  --allowed-groups=,admissionregistration.k8s.io,storage.k8s.io,networking.k8s.io

Command Line Reference

Usage:
  rbac-minimize generate [flags]

Aliases:
  generate, gen

Flags:
      --allowed-groups strings   Comma separated list of API groups we would like to allow '*' (default [*])
      --allowed-verbs strings    Comma separated list of verbs to include. To include all use '* (default [*])
  -c, --cluster-context string   Cluster.use 'kubectl config get-contexts' to list available contexts
      --deny-resources strings   Comma separated list of resource.group
  -t, --generated-type string    Role or ClusteRole (default "ClusterRole")
  -h, --help                     help for generate

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
kube

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL