// the find
FairwindsOps/rbac-manager
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.
rbac-manager is a Kubernetes operator that lets you define RBAC bindings declaratively via a custom `RBACDefinition` CRD, instead of hand-managing individual RoleBindings and ServiceAccounts. It reconciles desired state continuously, so adding a user to a namespace group means editing one object, not hunting down every binding. Aimed at platform teams who manage RBAC across many namespaces and users.
The abstraction is genuinely useful: one RBACDefinition can fan out to dozens of RoleBindings across namespaces matching a label selector, which is the exact pain point native RBAC has. Chainsaw-based e2e tests cover the real reconciliation loop against an actual cluster, not mocks. Images are now signed and tags are immutable, which matters a lot for a security-adjacent tool. The reconciler does a proper diff and cleans up stale bindings — it doesn't just create, it also deletes what no longer matches.
The CRD API is still `v1beta1` after years of existence, which is a signal this isn't considered stable; adopters should expect breaking changes. There's no support for aggregated ClusterRoles or fine-grained audit of *why* a binding exists, so drift investigation still requires kubectl. The namespace selector approach means a misconfigured label can silently under-grant or over-grant permissions — there's no dry-run or preview mode to catch this before it lands. Active development has slowed noticeably; the last release cadence suggests it's in maintenance mode rather than being actively extended.