Skip to content


Folders and files

Last commit message
Last commit date

Latest commit

27ce2ba · Mar 24, 2018


28 Commits
Jan 18, 2018
Jan 18, 2018
Jan 18, 2018
Jan 18, 2018
Apr 11, 2017
Apr 9, 2017
Jan 13, 2018
Apr 11, 2017
Apr 12, 2017
Mar 24, 2018
Jan 13, 2018
Apr 11, 2017

Repository files navigation

Kubernetes RBACQ

Build Status

RBACQ simplifies querying Subjects and Rights specified in Kubernetes through Roles/ClusterRoles and RoleBindings/ClusterRoleBindings.



Go to the releases page and download the Linux or Windows version. Put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.

Basic Usage

RBACQ is build with Cobra so the CLI is build in a familiar way (Cobra is also used in Docker and Kubernetes).

To print a description what RBACQ can do, just execute:

$ ./rbacq
rbacq simplifies querying the Kubernetes RBAC API

  rbacq [command]

Available Commands:
  get         Displays one or many resources
  help        Help about any command

  -a, --all-namespaces      Specifies that all Namespaces should be queried (default "false")
  -c, --cluster-wide        Search cluster-wide (which includes ClusterRoles & ClusterRolebindings)
  -k, --kubeconfig string   Path to the kubeconfig file to use for CLI requests (default "$HOME\\.kube\\config")
  -n, --namespace string    Specifies the Namespace in which to query (default "default")
  -s, --system              Show also System Objects (default "false")

Use "rbacq [command] --help" for more information about a command.

To further explore the CLI execute the following: (and so on)

$ ./rbacq get
You must specify the type of resource to get. Valid resource types are:

        * subjects (aka 'sub')
        * rights (aka 'r')
$ ./rbacq get subjects --help
Displays one or many resources

  rbacq get [RESOURCE-TYPE] [flags]

  -o, --output string   Set jsonpath e.g. with -o jsonpath='{.kind}:{.Name}'

Global Flags:
  -a, --all-namespaces      Specifies that all Namespaces should be queried (default "false")
  -c, --cluster-wide        Search cluster-wide (which includes ClusterRoles & ClusterRolebindings)
  -k, --kubeconfig string   Path to the kubeconfig file to use for CLI requests (default "C:\\Users\\SBUERIN\\.kube\\config")
  -n, --namespace string    Specifies the Namespace in which to query (default "default")
  -s, --system              Show also System Objects (default "false")


Subjects used in RoleBindings can be queried with ./rbaq get subjects. The subjects are queried per default in the default Namespace. The following flags can modify this behaviour:

  • -n <namespace>: search in a specific Namespace
  • -a: search in all Namespaces
  • -c: search cluster-wide, which means that also ClusterRoles & ClusterRoleBindings are queried
  • -s: also show System objects


List Subjects in kube-system (including System objects):

$ ./rbacq -n kube-system get subjects -s
Subjects defined in RoleBindings
    Namespace: kube-system
            Role: system:controller:token-cleaner
                 secrets: [delete get list watch]
                 events: [create patch update]
            Role: vault:serviceaccount
                 secrets: [delete create list update]
            Role: system:controller:bootstrap-signer
                 secrets: [get list watch]

List all Subjects matching the RegExp .*kube-system.* (including System objects):

$ ./rbacq -n kube-system get subjects -s .*kube-system.*
Subjects defined in RoleBindings
    Namespace: kube-system
            Role: system:controller:token-cleaner
                 secrets: [delete get list watch]
                 events: [create patch update]
            Role: system:controller:bootstrap-signer
                 secrets: [get list watch]


Rights used by Roles can be queried with ./rbacq get rights. The rights are queried per default in the default Namespace. The same flags as with Subjects can modify this behaviour.


Get all Rights from Namespace kube-system (including System):

$ ./rbacq -n kube-system get rights -s 
Rights defined in Roles
        [create patch update]: [ServiceAccount:kube-system:token-cleaner]
        [delete create list update]: [ServiceAccount:infra:i3-vault]
        [delete get list watch]: [ServiceAccount:kube-system:token-cleaner]
        [get list watch]: [ServiceAccount:kube-system:bootstrap-signer]

Get all Rights from Roles in default Namespaces and ClusterRoles that match namespaces.*get (including System):

$ ./rbacq get rights -s -c namespaces.*get
Rights defined in ClusterRoles & Roles
    namespaces: [delete get list watch]: [ServiceAccount:kube-system:namespace-controller]
    namespaces: [get]: [User:system:kube-controller-manager]