A CLI tool generates Kubernetes RBAC Role/ClusterRole from K8s resources (manifests), applying the principle of least privilege (PoLP) for restricted security access.
For some use cases when a tight security access is required, users should only have access to the resources they need to interact with.
kube-rbac-extractor was created as no other tool that generates the Kubernetes RBAC Role/ClusterRole from K8s resources (manifests) without interacting with the K8s API server.
For example, you can use kube-rbac-extractor to limit the user's access to the kinds used in a specific Helm chart.
Download pre-compiled binary from GitHub releases page, or use Docker image:
ghcr.io/devopshivehq/kube-rbac-extractor:latest Usage of kube-rbac-extractor: --access string Access type: read, write, admin (default "read") --cluster Generate ClusterRole instead of Role --extra-schema string Path to extra kinds RBAC schema JSON file for custom resources --name string Metadata name for the Role/ClusterRole (default "access") --namespace string Namespace for Role (ignored for ClusterRole) --resource-names Include resourceNames from manifest metadata.name in the rules --role-binding-subjects string Generate RoleBinding/ClusterRoleBinding using comma-separated list of subjects to bind the role to (e.g., User:alice,Group:devs,ServiceAccount:ns:sa) Run:
helm template dev oci://registry-1.docker.io/bitnamicharts/postgresql | kube-rbac-extractor --access read --namespace dev --name developer-accessOutput:
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: developer-access namespace: dev rules: - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - get - list - watch - apiGroups: - "" resources: - secrets verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - apps resources: - statefulsets verbs: - get - list - watchMerger is an open-source software licensed under the MIT license. For more details, check the LICENSE file.