Using audit2rbac to debug policies
There is a tool called audit2rbac
that can reverse-engineer errors in the audit log into RBAC policy objects. In this section, we’ll use this tool to generate an RBAC policy after discovering that one of our users can’t perform an action they need to be able to do. This is a typical RBAC debugging process and learning how to use this tool can save you hours trying to isolate RBAC issues:
- In the previous chapter, a generic RBAC policy was created to allow all members of the
cn=k8s-cluster-admins,ou=Groups,DC=domain,DC=com
group to be administrators in our cluster. If you’re logged into OpenUnison, log out. - Now, log in again with the username
jjackson
and the passwordstart123
. - Next, click on Sign In. Once you’re logged in, go to the dashboard. Just as when OpenUnison was first deployed, there won’t be any namespaces or other information because the RBAC policy for cluster administrators doesn...