Table: kubernetes_cluster_role - Query Kubernetes Cluster Roles using SQL
Kubernetes Cluster Roles is a feature within Kubernetes that allows you to define permissions for resources across the entire cluster. It provides a way to set up and manage access controls for various Kubernetes resources, including pods, services, and more. Kubernetes Cluster Roles helps you stay informed about the access controls in your Kubernetes cluster and take appropriate actions when managing permissions.
ClusterRole contains rules that represent a set of permissions. You can use them to grant access to:
- cluster-scoped resources (like nodes)
- non-resource endpoints (like /healthz)
- namespaced resources (like Pods), across all namespaces
Table Usage Guide
The kubernetes_cluster_role table provides insights into Cluster Roles within Kubernetes. As a DevOps engineer, explore role-specific details through this table, including permissions and associated rules. Utilize it to uncover information about roles, such as those with wildcard permissions, and the verification of access controls.
Examples
Basic Info
Explore the creation timelines and rules associated with different roles in a Kubernetes cluster to better manage and organize your resources. This allows for effective prioritization and allocation of tasks within the cluster.
select name, creation_timestamp, rules, aggregation_rulefrom kubernetes_cluster_roleorder by name;select name, creation_timestamp, rules, aggregation_rulefrom kubernetes_cluster_roleorder by name;List rules and verbs for cluster roles
Explore the permissions associated with different roles in a Kubernetes cluster. This can help in understanding the access levels of various roles, thereby aiding in managing security and access control.
select name as role_name, rule ->> 'apiGroups' as api_groups, rule ->> 'resources' as resources, rule ->> 'nonResourceURLs' as non_resource_urls, rule ->> 'verbs' as verbs, rule ->> 'resourceNames' as resource_namesfrom kubernetes_cluster_role, jsonb_array_elements(rules) as ruleorder by role_name, api_groups;select name as role_name, json_extract(rule.value, '$.apiGroups') as api_groups, json_extract(rule.value, '$.resources') as resources, json_extract(rule.value, '$.nonResourceURLs') as non_resource_urls, json_extract(rule.value, '$.verbs') as verbs, json_extract(rule.value, '$.resourceNames') as resource_namesfrom kubernetes_cluster_role, json_each(rules) as ruleorder by role_name, api_groups;Group cluster roles by same set of aggregation rules
Discover the segments that share the same set of aggregation rules within cluster roles, which can help in assessing similar roles and their configuration in a Kubernetes environment. This may be useful in optimizing role assignment and ensuring consistent rule enforcement across roles.
select jsonb_agg(name) as roles, aggregation_rulefrom kubernetes_cluster_rolegroup by aggregation_rule;select json_group_array(name) as roles, aggregation_rulefrom kubernetes_cluster_rolegroup by aggregation_rule;List manifest resources
Explore the rules and aggregation rules of your Kubernetes cluster roles that have a defined path. This can help you understand the permissions structure and assess any potential security risks in your cluster.
select name, rules, aggregation_rule, pathfrom kubernetes_cluster_rolewhere path is not nullorder by name;select name, rules, aggregation_rule, pathfrom kubernetes_cluster_rolewhere path is not nullorder by name;Query examples
Control examples
- All Controls > Role > ClusterRoles permissions for approving CertificateSigningRequests
- All Controls > Role > ClusterRoles permissions for managing the configuration of validation or mutation admission webhooks should be minimized
- All Controls > Role > ClusterRoles permissions to bind RoleBindings or ClusterRoleBindings should be minimized
- All Controls > Role > ClusterRoles permissions to escalate Roles or ClusterRoles should be minimized
- All Controls > Role > Minimize wildcard use in Roles and ClusterRoles
- CIS v1.7.0 > 5 Policies > 5.1 RBAC and Service Accounts > 5.1.3 Minimize wildcard use in Roles and ClusterRoles
Schema for kubernetes_cluster_role
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| aggregation_rule | jsonb | An optional field that describes how to build the Rules for this ClusterRole | |
| annotations | jsonb | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
| context_name | text | Kubectl config context name. | |
| creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
| deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
| deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
| end_line | bigint | The path to the manifest file. | |
| finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
| generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. | |
| generation | bigint | A sequence number representing a specific generation of the desired state. | |
| labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
| name | text | Name of the object. Name must be unique within a namespace. | |
| owner_references | jsonb | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
| path | text | The path to the manifest file. | |
| resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
| rules | jsonb | List of the PolicyRules for this Role. | |
| source_type | text | The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest. | |
| sp_connection_name | text | Steampipe connection name. | |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| start_line | bigint | The path to the manifest file. | |
| tags | jsonb | A map of tags for the resource. This includes both labels and annotations. | |
| title | text | Title of the resource. | |
| uid | text | UID is the unique in time and space value for this object. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetesYou can pass the configuration to the command with the --config argument:
steampipe_export_kubernetes --config '<your_config>' kubernetes_cluster_role