Compiled list of ClusterRoles for better/safer RBAC

This page summarizes the projects mentioned and recommended in the original post on /r/kubernetes
Kubernetes kubernetes-ui Rbac kubernetes-dashboard least-privilege

SurveyJS
Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
Our great sponsors

  • rbac-tool

    Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query

    • I've been tasked with defining and documenting some ClusterRoles with clear permissions that should (mostly) be enough for any kind of cluster. The idea is for admins (who don't necessarily do the devops behind) to be able to understand what each CR does, to assign these CRs to users on the fly, to update a user's access as their needs change, to view a list of policy rules, who can do what etc... For this maintenance and tracking part we use rbac-manager and rbac-tool, which are excellent tools imo.

  • lens

    Lens - The way the world runs Kubernetes

    • apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: restricted-user-access rules: - apiGroups: ["","extensions", "apps"] ## "" represents the core group resources: ["*"] verbs: ["get"] - apiGroups: ["" ] resources: ["pods"] verbs: ["get", "list", "delete"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: secret-reader rules: - apiGroups: [""] resources: - secrets verbs: - get - watch - list ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: read-services-external-dns-ingress rules: - apiGroups: [""] resources: ["services"] verbs: ["get","watch","list"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["get","watch","list"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: portforward-access rules: - apiGroups: [""] resources: ["pods/portforward"] verbs: ["*"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: super-dev rules: - apiGroups: - "*" resources: - "configmaps" - "endpoints" - "persistentvolumeclaims" - "pods" - "pods/log" - "pods/portforward" - "podtemplates" - "replicationcontrollers" - "resourcequotas" - "secrets" - "services" - "events" - "daemonsets" - "deployments" - "replicasets" - "ingresses" - "networkpolicies" - "poddisruptionbudgets" verbs: - "*" ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: read-user-access rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["get","watch","list"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] ------- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: full-user-access rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: ["batch"] resources: - jobs - cronjobs verbs: ["*"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-resource-read-access rules: - nonResourceURLs: - '*' verbs: ["get","watch","list"] ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-resource-all-access rules: - nonResourceURLs: - '*' verbs: - '*' ------- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: non-namespaced-cluster-resources-read rules: #Copied from https://github.com/lensapp/lens/pull/644/files#diff-e8fd9c95df786da51f13c3a7442a1d88b3ac4294b786bc268ac92a4072bf50e7R5-R198 - nonResourceURLs: - /metrics verbs: - get - list - watch - apiGroups: - "" resources: - bindings - componentstatuses - configmaps - endpoints - events - limitranges - namespaces - namespaces/finalize - namespaces/status - nodes - nodes/proxy - nodes/status - persistentvolumeclaims - persistentvolumeclaims/status - persistentvolumes - persistentvolumes/status - pods - pods/attach - pods/binding - pods/eviction - pods/exec - pods/log - pods/proxy - pods/status - podtemplates - replicationcontrollers - replicationcontrollers/scale - replicationcontrollers/status - resourcequotas - resourcequotas/status - serviceaccounts - services - services/proxy - services/status verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - list - get - watch - apiGroups: - batch resources: - jobs - jobs/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - storage.k8s.io resources: - csidrivers - csinodes - storageclasses - volumeattachments - volumeattachments/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - get - list - watch - apiGroups: - node.k8s.io resources: - runtimeclasses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses - ingresses/status verbs: - get - list - watch - apiGroups: - events.k8s.io resources: - events verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions - customresourcedefinitions/status verbs: - get - list - watch - apiGroups: - apiregistration.k8s.io resources: - apiservices - apiservices/status verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - metrics.k8s.io resources: - pods - nodes verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status - podsecuritypolicies verbs: - get - list - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings - clusterroles - rolebindings - roles verbs: - get - list - watch # END - apiGroups: - "*" resources: - "componentstatuses" - "namespaces" - "nodes" - "persistentvolumes" - "mutatingwebhookconfigurations" - "validatingwebhookconfigurations" - "customresourcedefinitions" - "apiservices" - "tokenreviews" - "selfsubjectaccessreviews" - "selfsubjectrulesreviews" - "subjectaccessreviews" - "certificatesigningrequests" - "runtimeclasses" - "podsecuritypolicies" - "clusterrolebindings" - "clusterroles" - "priorityclasses" - "csidrivers" - "csinodes" - "storageclasses" - "volumeattachment" verbs: ["get", "list", "watch"] ## change this to * if you want admin rights on cluster resources

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

    SurveyJS logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts