From e243c15adc228957972c1b7eb775e46bdf873552 Mon Sep 17 00:00:00 2001 From: Rob Scott Date: Fri, 28 Sep 2018 11:28:59 -0400 Subject: [PATCH] updating readme to include GKE integration --- README.md | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d45e859..0d1cb05 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,7 @@ brew install reactiveops/tap/rbac-lookup ## Usage +In the simplest use case, rbac-lookup will return any matching user, service account, or group along with the roles it has been given. ``` rbac-lookup rob @@ -21,6 +22,8 @@ rob@example.com cluster-wide ClusterRole/view rob@example.com nginx-ingress ClusterRole/edit ``` +The wide output option includes the kind of subject (user, service account, or group), along with the source role binding. + ``` rbac-lookup rob -owide @@ -29,17 +32,53 @@ User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBindi User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit ``` +With a more generic query, we can see that a variety of users and service accounts can be returned, as long as they match the query. ``` rbac-lookup ro -owide SUBJECT SCOPE ROLE SOURCE User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit -User/ross@example.com cluster-wide ClusterRole/admin ClusterRoleBinding/ross-admin User/ron@example.com web ClusterRole/edit RoleBinding/ron-edit ServiceAccount/rops infra ClusterRole/admin RoleBinding/rops-admin ``` +Of course a query is an optional parameter for rbac-lookup. You could simply run `rbac-lookup` to get a full picture of authorization in your cluster, and then pipe that output to something like grep for your own more advanced filtering. +``` +rbac-lookup | grep rob + +User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view +User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit +``` + +### GKE IAM Integration + +If you're connected to a GKE cluster, RBAC is only half the story here. Google Cloud IAM roles can grant cluster access. Cluster access is effectively determined by a union of IAM and RBAC roles. To see th relevant IAM roles along with RBAC roles, use the `--gke` flag. + +``` +rbac-lookup rob --gke + +SUBJECT SCOPE ROLE +rob@example.com cluster-wide ClusterRole/view +rob@example.com nginx-ingress ClusterRole/edit +rob@example.com project-wide IAM/gke-developer +rob@example.com project-wide IAM/viewer +``` + +Of course this GKE integration also supports wide output, in this case referencing the specific IAM roles that are assigned to a user. + +``` +rbac-lookup rob --gke -owide + +SUBJECT SCOPE ROLE SOURCE +User/rob@example.com cluster-wide ClusterRole/view ClusterRoleBinding/rob-cluster-view +User/rob@example.com nginx-ingress ClusterRole/edit RoleBinding/rob-edit +User/rob@example.com project-wide IAM/gke-developer IAMRole/container.developer +User/rob@example.com project-wide IAM/gcp-viewer IAMRole/viewer +``` + +At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view `lookup/gke_roles.go`. + ### Kubernetes Configuration If a `KUBECONFIG` environment variable is specified, rbac-lookup will attempt to use the config at that path, otherwise it will default to `~/.kube/config`.