在开启了RBAC的kubernetes集群上，经常会遇到这样一个问题：

应用启动的时候，报了权限不足的错误，想给它的sa加一下rolebinding，但是又不知道到底是哪个clusterRole定义了该权限。

所以我写了个小工具，可以根据resource来反向查找哪些clusterRole定义了该资源：

kube-role-finder。

使用起来很简单。

kube-role-finder -resource services
Those clusterRole has resource services:
view      edit      admin               system:node         vizier-core         cluster-admin       system:coredns
pipeline-runner     tf-job-operator     system:kube-dns     tf-job-dashboard    system:node-proxier prometheus-operator
system:kube-scheduler                   system:kube-aggregator                  system:aggregate-to-edit
system:aggregate-to-view                system:aggregate-to-admin               system:kube-controller-manager
system:controller:expand-controller     system:controller:service-controller    system:controller:endpoint-controller

只指定service可能不准确，可以再增加apiGroup和verb作为查询参数。

kube-role-finder -apiGroup apps -resource deployments

kube-role-finder -apiGroup apps -resource deployments -verb 

欢迎使用！

• Mac版
• Linux版