finds.dev← search

// the find

corneliusweig/rakkess

★ 1,400 · Go · Apache-2.0 · updated Apr 2023

Review Access - kubectl plugin to show an access matrix for k8s server resources

rakkess is a kubectl plugin that shows you a full access matrix for your Kubernetes RBAC — what verbs you can perform on what resources, or flipping it around, which subjects have access to a given resource. It fills a genuine gap: `kubectl auth can-i` is one resource at a time, rakkess gives you the whole picture at once. Useful for auditing clusters you didn't set up yourself.

The dual-mode design is well thought out — checking your own access and checking who can touch a specific resource are both first-class commands rather than bolted-on flags. The `--as` and `--sa` flags let you impersonate users and service accounts, which is exactly what you need when debugging why a deployment can't read a ConfigMap. Installable via krew with a stable plugin name (`kubectl access-matrix`), so it slots into existing workflows without friction. The code is cleanly split between client logic and presentation, and the test coverage on the access-check internals is solid.

Last commit was April 2023 — not actively maintained. Kubernetes RBAC internals haven't changed dramatically, but the dependency chain will drift and krew users will start hitting build warnings. The `rakkess resource` subcommand requires admin access to enumerate RoleBindings, which limits its usefulness in the exact situations where you most want it (auditing a cluster you don't fully control). Output is terminal-only; there's no JSON or structured output mode, so you can't pipe rakkess into a policy diff or CI check.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →