From 38097a17df988ddafa03dc483de3b5ab71cda8cb Mon Sep 17 00:00:00 2001 From: Jerome Petazzoni Date: Wed, 3 Apr 2019 05:34:24 -0500 Subject: [PATCH] Add slides about kubectl-who-can --- slides/k8s/authn-authz.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/slides/k8s/authn-authz.md b/slides/k8s/authn-authz.md index 1b07bc64..96aa5f92 100644 --- a/slides/k8s/authn-authz.md +++ b/slides/k8s/authn-authz.md @@ -611,3 +611,26 @@ class: extra-details ```bash kubectl describe clusterrole cluster-admin ``` + +--- + +class: extra-details + +## Figuring out who can do what + +- For auditing purposes, sometimes we want to know who can perform an action + +- Here is a proof-of-concept tool by Aqua Security, doing exactly that: + + https://github.com/aquasecurity/kubectl-who-can + +- This is one way to install it: + ```bash + docker run --rm -v /usr/local/bin:/go/bin golang \ + go get -v github.com/aquasecurity/kubectl-who-can + ``` + +- This is one way to use it: + ```bash + kubectl-who-can create pods + ```