Rakkess – Kubectl Plugin To Show An Access Matrix For K8S Server Resources


Have you ever wondered what access rights you have on a provided kubernetes cluster? For single resources you can use kubectl auth can-i list deployments, but maybe you are looking for a complete overview? This is what rakkess is for. It lists access rights for the current user and all server resources, similar to kubectl auth can-i --list.

It is also useful to find out who may interact with some server resource. Check out the sub-command rakkess resource below.


rakkess demo


Show access for all resources

  • … at cluster scoperakkess
  • … in some namespacerakkess –namespace default
  • … with verbsrakkess –verbs get,delete,watch,patch
  • … for another userrakkess –as other-user
  • … for another service-accountrakkess –sa kube-system:namespace-controller
  • … and combine with common kubectl parametersKUBECONFIG=otherconfig rakkess –context other-context

Show subjects with access to a given resource1

rakkess demo
  • …globally in all namespaces (only considers ClusterRoleBindings)rakkess resource configmaps
  • …in a given namespace (considers RoleBindings and ClusterRoleBindings)rakkess resource configmaps -n default
  • …with shorthand notationrakkess r cm # same as rakkess resource configmaps
  • .. with custom verbsrakkess r cm –verbs get,delete,watch,patch
Name-restricted roles

Some roles only apply to resources with a specific name. To review such configurations, provide the resource name as additional argument. For example, show access rights for the ConfigMap called ingress-controller-leader-nginx in namespace ingress-nginx (note the subtle difference for nginx-ingress-serviceaccount to the previous example):

rakkess demo

As rakkess resource needs to query RolesClusterRoles, and their bindings, it usually requires administrative cluster access.

Also see Usage.


There are several ways to install rakkess. The recommended installation method is via krew.

Via krew

Krew is a kubectl plugin manager. If you have not yet installed krew, get it at https://github.com/kubernetes-sigs/krew. Then installation is as simple as

kubectl krew install access-matrix

The plugin will be available as kubectl access-matrix, see doc/USAGE for further details.


When using the binaries for installation, also have a look at doc/USAGE.


curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.4.5/rakkess-amd64-linux.tar.gz \
  && tar xf rakkess-amd64-linux.tar.gz rakkess-amd64-linux \
  && chmod +x rakkess-amd64-linux \
  && mv -i rakkess-amd64-linux $GOPATH/bin/rakkess


curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.4.5/rakkess-amd64-darwin.tar.gz \
  && tar xf rakkess-amd64-darwin.tar.gz rakkess-amd64-darwin \
  && chmod +x rakkess-amd64-darwin \
  && mv -i rakkess-amd64-darwin $GOPATH/bin/rakkess



From source

Build on host


  • go 1.14 or newer
  • GNU make
  • git


export PLATFORMS=$(go env GOOS)
make all   # binaries will be placed in out/

Build in docker



mkdir rakkess && chdir rakkess
curl -Lo Dockerfile https://raw.githubusercontent.com/corneliusweig/rakkess/master/Dockerfile
docker build . -t rakkess-builder
docker run --rm -v $PWD:/go/bin/ --env PLATFORMS=$(go env GOOS) rakkess
docker rmi rakkess-builder

Binaries will be placed in the current directory.


LOLBITS – C2 Framework That Uses Background Intelligent Transfer Service (BITS)

Previous article

Spyre – Simple YARA-based IOC Scanner

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *

More in Kubernetes