diff --git a/slides/k8s/authn-authz.md b/slides/k8s/authn-authz.md index 1b07bc64..96aa5f92 100644 --- a/slides/k8s/authn-authz.md +++ b/slides/k8s/authn-authz.md @@ -611,3 +611,26 @@ class: extra-details ```bash kubectl describe clusterrole cluster-admin ``` + +--- + +class: extra-details + +## Figuring out who can do what + +- For auditing purposes, sometimes we want to know who can perform an action + +- Here is a proof-of-concept tool by Aqua Security, doing exactly that: + + https://github.com/aquasecurity/kubectl-who-can + +- This is one way to install it: + ```bash + docker run --rm -v /usr/local/bin:/go/bin golang \ + go get -v github.com/aquasecurity/kubectl-who-can + ``` + +- This is one way to use it: + ```bash + kubectl-who-can create pods + ```