kubectl-who-can

The core security challenge in Kubernetes environments often revolves around understanding and managing Role-Based Access Control (RBAC) permissions, which can be complex and opaque. kubectl-who-can addresses this by providing a straightforward way to identify which subjects have the necessary RBAC permissions to perform specific actions on various resources.

Technically, kubectl-who-can is a kubectl plugin that leverages the existing Kubernetes API to query and display RBAC permissions. It can be installed via the krew plugin manager, making integration seamless for those already using kubectl. The tool is built as a Go program, allowing for efficient execution and minimal dependencies, although building from source can take a few minutes due to the dependencies involved.

Operationally, kubectl-who-can allows users to specify the verb, type, and optionally the name or non-resource URL to check permissions. It supports flags for namespace scope and checking permissions across all namespaces, as well as specifying sub-resources. For example, the command kubectl who-can get pods --all-namespaces would list all subjects with the permission to get pods in any namespace. This granular control helps in auditing and managing access rights effectively.

However, there are some operational considerations. The tool relies on the accuracy and up-to-date status of the Kubernetes RBAC configuration, so any misconfigurations or delays in permission updates could affect its results. Additionally, while it provides real-time insights, it does not offer historical analysis or logging of permission changes, which might be a limitation for some use cases. Despite these, kubectl-who-can remains a valuable tool for maintaining visibility and control over Kubernetes access permissions.