// the find
corneliusweig/rakkess
Review Access - kubectl plugin to show an access matrix for k8s server resources
rakkess is a kubectl plugin that shows you a full access matrix for your Kubernetes RBAC — what verbs you can perform on what resources, or flipping it around, which subjects have access to a given resource. It fills a genuine gap: `kubectl auth can-i` is one resource at a time, rakkess gives you the whole picture at once. Useful for auditing clusters you didn't set up yourself.
The dual-mode design is well thought out — checking your own access and checking who can touch a specific resource are both first-class commands rather than bolted-on flags. The `--as` and `--sa` flags let you impersonate users and service accounts, which is exactly what you need when debugging why a deployment can't read a ConfigMap. Installable via krew with a stable plugin name (`kubectl access-matrix`), so it slots into existing workflows without friction. The code is cleanly split between client logic and presentation, and the test coverage on the access-check internals is solid.
Last commit was April 2023 — not actively maintained. Kubernetes RBAC internals haven't changed dramatically, but the dependency chain will drift and krew users will start hitting build warnings. The `rakkess resource` subcommand requires admin access to enumerate RoleBindings, which limits its usefulness in the exact situations where you most want it (auditing a cluster you don't fully control). Output is terminal-only; there's no JSON or structured output mode, so you can't pipe rakkess into a policy diff or CI check.