Skip to content
KubeGlass

RBAC Visualization

RBAC access matrix showing namespace-scoped permissions for a user across resource types (pods, deployments, secrets, services, nodes) and verbs (get, list, watch, create, update, patch, delete, exec) with allowed, denied, and N/A indicators, plus a who-can query example

Access Matrix

Section titled “Access Matrix”

The RBAC explorer renders a namespace × resource × verb access matrix. Each cell shows whether a subject (user, group, or service account) has access to perform a specific verb on a resource type.

Verbs covered: get, list, watch, create, update, patch, delete, deletecollection, exec.

Who-can queries

Section titled “Who-can queries”

Select a resource type and verb to see every subject that has access. Results include:

  • Direct RoleBinding matches
  • ClusterRoleBinding grants that apply to the namespace
  • Wildcard resolution (* verb or * resource group)

Role expansion

Section titled “Role expansion”

Click any role to see its full rule set expanded, including:

  • Inherited rules from aggregated ClusterRoles
  • Wildcard implications
  • Case-insensitive subject matching for IdP-provisioned names

Live impersonation

Section titled “Live impersonation”

Test another user’s access from the UI without switching accounts:

  1. Open the RBAC explorer
  2. Enter a username or group to impersonate
  3. The access matrix updates to show what that subject can do

This uses Kubernetes impersonation headers - the API server evaluates real RBAC rules, not a simulation.

Service account requirements

Section titled “Service account requirements”

For RBAC visualization to work fully, the KubeGlass service account needs list and get permissions on roles, clusterroles, rolebindings, and clusterrolebindings. The Helm chart includes these permissions by default.

Section titled “Related”
Security Model Auth modes, impersonation, and threat model
Multi-Tenancy Per-user isolation with RBAC enforcement