在开启了RBAC的kubernetes集群上,经常会遇到这样一个问题:

应用启动的时候,报了权限不足的错误,想给它的sa加一下rolebinding,但是又不知道到底是哪个clusterRole定义了该权限。

所以我写了个小工具,可以根据resource来反向查找哪些clusterRole定义了该资源:

kube-role-finder

使用起来很简单。

kube-role-finder -resource services
Those clusterRole has resource services:
view      edit      admin               system:node         vizier-core         cluster-admin       system:coredns
pipeline-runner     tf-job-operator     system:kube-dns     tf-job-dashboard    system:node-proxier prometheus-operator
system:kube-scheduler                   system:kube-aggregator                  system:aggregate-to-edit
system:aggregate-to-view                system:aggregate-to-admin               system:kube-controller-manager
system:controller:expand-controller     system:controller:service-controller    system:controller:endpoint-controller

只指定service可能不准确,可以再增加apiGroup和verb作为查询参数。

kube-role-finder -apiGroup apps -resource deployments
kube-role-finder -apiGroup apps -resource deployments -verb 

欢迎使用!