finds.dev← search

// the find

FairwindsOps/rbac-manager

★ 1,656 · Go · Apache-2.0 · updated May 2026

A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.

rbac-manager is a Kubernetes operator that lets you define RBAC bindings declaratively via a custom `RBACDefinition` CRD, instead of hand-managing individual RoleBindings and ServiceAccounts. It reconciles desired state continuously, so adding a user to a namespace group means editing one object, not hunting down every binding. Aimed at platform teams who manage RBAC across many namespaces and users.

The abstraction is genuinely useful: one RBACDefinition can fan out to dozens of RoleBindings across namespaces matching a label selector, which is the exact pain point native RBAC has. Chainsaw-based e2e tests cover the real reconciliation loop against an actual cluster, not mocks. Images are now signed and tags are immutable, which matters a lot for a security-adjacent tool. The reconciler does a proper diff and cleans up stale bindings — it doesn't just create, it also deletes what no longer matches.

The CRD API is still `v1beta1` after years of existence, which is a signal this isn't considered stable; adopters should expect breaking changes. There's no support for aggregated ClusterRoles or fine-grained audit of *why* a binding exists, so drift investigation still requires kubectl. The namespace selector approach means a misconfigured label can silently under-grant or over-grant permissions — there's no dry-run or preview mode to catch this before it lands. Active development has slowed noticeably; the last release cadence suggests it's in maintenance mode rather than being actively extended.

View on GitHub → Homepage ↗

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →