turbot/kubernetes_insights

Query: roles_for_rbac

Usage

powerpipe query kubernetes_insights.query.roles_for_rbac

SQL

select
distinct role.uid as uid
from
kubernetes_cluster_role_binding as b,
kubernetes_cluster_role as role,
kubernetes_service_account as a,
jsonb_array_elements(subjects) as s,
jsonb_array_elements(rules) as r,
jsonb_array_elements_text(r -> 'resources') as re,
jsonb_array_elements_text(r -> 'verbs') as v
where
role.name = b.role_name
and (s ->> 'kind' <> 'ServiceAccount' or s ->> 'name' in (select name from kubernetes_service_account))
and b.context_name = role.context_name
and (v in (select unnest (string_to_array($1, ',')::text[])) or v = '*')
and (re in (select unnest (string_to_array($2, ',')::text[])) or re = '*')
and b.context_name in (select unnest (string_to_array($3, ',')::text[]))
union
select
distinct role.uid as uid
from
kubernetes_role_binding as b,
kubernetes_role as role,
kubernetes_service_account as a,
jsonb_array_elements(subjects) as s,
jsonb_array_elements(rules) as r,
jsonb_array_elements_text(r -> 'resources') as re,
jsonb_array_elements_text(r -> 'verbs') as v
where
role.name = b.role_name
and (s ->> 'kind' <> 'ServiceAccount' or s ->> 'name' in (select name from kubernetes_service_account))
and b.context_name = role.context_name
and (v in (select unnest (string_to_array($1, ',')::text[])) or v = '*')
and (re in (select unnest (string_to_array($2, ',')::text[])) or re = '*')
and b.context_name in (select unnest (string_to_array($3, ',')::text[]))

Params

ArgsNameDefaultDescriptionVariable
$1verb
    $2resource
      $3cluster_context