v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/kubernetes
Overview
39Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install kubernetes

Table: kubernetes_role_binding - Query Kubernetes Role Bindings using SQL

A Role Binding in Kubernetes is a link between a Role (or ClusterRole) and the subjects (users, groups, or service accounts) it applies to within a namespace. Role Bindings are used to grant the permissions defined in a Role to a user or set of users. They can reference a Role in the same namespace or a ClusterRole and then bind it to one or more subjects.

Table Usage Guide

The kubernetes_role_binding table provides insights into Role Bindings within Kubernetes. As a Kubernetes administrator, explore role binding-specific details through this table, including the roles they reference, the subjects they apply to, and the namespace they belong to. Utilize it to uncover information about role bindings, such as those granting excessive permissions, the association between roles and subjects, and the verification of role permissions within a namespace.

Examples

Basic Info

Explore which roles are bound to specific subjects in your Kubernetes environment. This can help you gain insights into access controls and permissions, ensuring that only authorized entities have access to certain resources.

select
  name,
  namespace,
  role_name,
  role_kind,
  jsonb_pretty(subjects) as subjects,
  creation_timestamp
from
  kubernetes_role_binding
order by
  name;
select
  name,
  namespace,
  role_name,
  role_kind,
  subjects,
  creation_timestamp
from
  kubernetes_role_binding
order by
  name;

Get details subject and role details for bindings

Uncover the details of role bindings in a Kubernetes environment to understand the relationship between subjects and their associated roles. This can be useful in managing access control and ensuring proper role assignments.

select
  name as binding_name,
  namespace,
  role_name,
  subject ->> 'name' as subject_name,
  subject ->> 'namespace' as subject_namespace,
  subject ->> 'apiGroup' as subject_api_group,
  subject ->> 'kind' as subject_kind
from
  kubernetes_role_binding,
  jsonb_array_elements(subjects) as subject
order by
  subject_kind,
  role_name,
  subject_name;
select
  name as binding_name,
  namespace,
  role_name,
  json_extract(subject.value, '$.name') as subject_name,
  json_extract(subject.value, '$.namespace') as subject_namespace,
  json_extract(subject.value, '$.apiGroup') as subject_api_group,
  json_extract(subject.value, '$.kind') as subject_kind
from
  kubernetes_role_binding,
  json_each(subjects) as subject
order by
  subject_kind,
  role_name,
  subject_name;

Get role bindings for each role

Explore which roles have been assigned to each role binding in your Kubernetes configuration. This can help in managing access controls and ensuring appropriate permissions are assigned.

select
  role_name,
  jsonb_agg(name) as bindings
from
  kubernetes_role_binding
group by
  role_name;
select
  role_name,
  json_group_array(name) as bindings
from
  kubernetes_role_binding
group by
  role_name;

List manifest resources

Explore the role bindings within your Kubernetes environment to understand the relationships between different resources. This can be particularly useful in identifying potential security risks or misconfigurations.

select
  name,
  namespace,
  role_name,
  role_kind,
  jsonb_pretty(subjects) as subjects,
  path
from
  kubernetes_role_binding
where
  path is not null
order by
  name;
select
  name,
  namespace,
  role_name,
  role_kind,
  subjects,
  path
from
  kubernetes_role_binding
where
  path is not null
order by
  name;

Query examples

Control examples

Schema for kubernetes_role_binding

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
annotationsjsonbAnnotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
context_nametextKubectl config context name.
creation_timestamptimestamp with time zoneCreationTimestamp is a timestamp representing the server time when this object was created.
deletion_grace_period_secondsbigintNumber of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set.
deletion_timestamptimestamp with time zoneDeletionTimestamp is RFC 3339 date and time at which this resource will be deleted.
end_linebigintThe path to the manifest file.
finalizersjsonbMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.
generate_nametextGenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided.
generationbigintA sequence number representing a specific generation of the desired state.
labelsjsonbMap of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
nametextName of the object. Name must be unique within a namespace.
namespacetextNamespace defines the space within which each name must be unique.
owner_referencesjsonbList of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.
pathtextThe path to the manifest file.
resource_versiontextAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed.
role_api_grouptextThe group for the referenced role.
role_kindtextType of the role referenced.
role_nametextName of the role for which access is granted to subjects.
source_typetextThe source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest.
sp_connection_nametextSteampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
start_linebigintThe path to the manifest file.
subjectsjsonbList of references to the objects the role applies to.
tagsjsonbA map of tags for the resource. This includes both labels and annotations.
titletextTitle of the resource.
uidtextUID is the unique in time and space value for this object.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetes

You can pass the configuration to the command with the --config argument:

steampipe_export_kubernetes --config '<your_config>' kubernetes_role_binding