github.com/aquasecurity/kubectl-who-can
Shows which subjects have RBAC permissions to VERB [TYPE | TYPE/NAME | NONRESOURCEURL] in Kubernetes.
There are several ways to install kubectl-who-can. The recommended installation is via the kubectl plugin manager
called krew.
I assume that you've already installed krew. Then run the following command:
kubectl krew install who-can
The plugin will be available as kubectl who-can.
Download a release distribution archive for your operating system, extract it, and add the kubectl-who-can
executable to your $PATH. For example, to manually install kubectl-who-can on macOS run the following command:
VERSION=`git describe --abbrev=0`
mkdir -p /tmp/who-can/$VERSION && \
curl -L https://github.com/aquasecurity/kubectl-who-can/releases/download/$VERSION/kubectl-who-can_darwin_x86_64.tar.gz \
| tar xz -C /tmp/who-can/$VERSION && \
sudo mv -i /tmp/who-can/$VERSION/kubectl-who-can /usr/local/bin
This is a standard Go program. If you already know how to build and install Go code, you probably won't need these instructions.
Note that while the code is small, it has some rather big dependencies, and fetching + building these dependencies can take a few minutes.
Option 1 (if you have a Go compiler and want to tweak the code):
# Clone this repository (or your fork)
git clone https://github.com/aquasecurity/kubectl-who-can
cd kubectl-who-can
make
The kubectl-who-can binary will be in the current directory.
Option 2 (if you have a Go compiler and just want the binary):
go get -v github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can
The kubectl-who-can binary will be in $GOPATH/bin.
Option 3 (if you don't have a Go compiler, but have Docker installed):
docker run --rm -v /usr/local/bin:/go/bin golang go get -v github.com/aquasecurity/kubectl-who-can/cmd/kubectl-who-can
The kubectl-who-can binary will be in /usr/local/bin.
$ kubectl who-can VERB (TYPE | TYPE/NAME | NONRESOURCEURL) [flags]
| Name | Shorthand | Default | Usage |
|---|---|---|---|
| namespace | n | If present, the namespace scope for this CLI request | |
| all-namespaces | A | false | If true, check for users that can do the specified action in any of the available namespaces |
| subresource | Specify a sub-resource such as pod/log or deployment/scale |
For additional details on flags and usage, run kubectl who-can --help.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
As vulnerability data bottlenecks grow, the federal government is formally investigating NIST’s handling of the National Vulnerability Database.
Research
Security News
Socket’s Threat Research Team has uncovered 60 npm packages using post-install scripts to silently exfiltrate hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.
Security News
TypeScript Native Previews offers a 10x faster Go-based compiler, now available on npm for public testing with early editor and language support.