Paste your Role or ClusterRole YAML above and select Build matrix to see the verb matrix.
About the Kubernetes RBAC verb matrix
The Kubernetes RBAC verb matrix turns pasted Role and ClusterRole YAML into a quick read on who can do what before you approve an access review. Paste a manifest, select build matrix, and the tool expands every rule into a row per API group, resource, and verb, each with a risk level and a short reason. It then gives you a markdown card to drop into a pull request and a CSV of the matrix for a review log.
The point is to make the dangerous grants easy to spot. A wildcard verb, access to secrets, pod exec, or a bind or escalate verb on roles is flagged high so it does not get lost in a long manifest. The parse runs entirely in your browser. The manifest text is not uploaded, logged, or stored, which matters because RBAC rules can reveal namespaces, service accounts, and internal resource names. This is a review aid, not a policy engine, so read the full manifest before you sign off.
How to use
- Copy the Role or ClusterRole YAML you want to review, including the rules block with apiGroups, resources, and verbs.
- Paste the YAML into the box. A sample ClusterRole and Role are loaded so you can see the format the tool expects.
- Select build matrix to see the object and rule counts, the risk counts, and a per-permission matrix.
- Review the high-risk rows first. These cover wildcard verbs and resources, secrets access, pod exec, and bind or escalate grants.
- Copy the markdown card into your pull request or download the CSV for your review log, then read the full manifest before you approve the access change.
Worked examples
A rule with verbs set to a single asterisk
A wildcard verb grants every action on the matched resources, so it is flagged high risk. Replace it with the specific verbs the workload actually needs.
A rule granting get and list on secrets
Read access to secrets can expose credentials and tokens, so it is flagged high risk even though get and list are read-only verbs.
A rule granting get, list, and watch on deployments
Read-only access to a normal resource with no wildcard, secrets, exec, or escalation marker is flagged low risk so your attention stays on the grants that widen access.
Frequently asked questions
- Which manifest kinds does it read?
- Role and ClusterRole. Paste one or many separated by the standard YAML document marker. RoleBinding and ClusterRoleBinding subject resolution is a planned follow-up; for now the tool scores the permissions a role grants, not who it is bound to.
- How does it decide the risk level?
- It uses deterministic heuristics. Wildcard verbs, wildcard resources, and wildcard API groups are high risk. Access to secrets, the impersonate verb, bind or escalate verbs, and pod exec, attach, or portforward are high risk. Other write verbs such as create, update, patch, and delete are medium. Read verbs get, list, and watch on a normal resource are low.
- Is my manifest uploaded anywhere?
- No. The parse runs entirely in your browser. The manifest text, resource names, and namespaces are never uploaded, logged, or stored, and they are not included in any analytics. Only coarse, anonymous counts are recorded so we can tell how often the tool is used.
- Can I paste a JSON manifest?
- Not yet. The first version reads YAML Role and ClusterRole manifests with the common rules shape, including flow arrays and multi-line block lists. JSON manifest support is a planned follow-up. For now, paste the YAML form.
- Does this replace an RBAC audit or a policy tool?
- No. It is a fast triage aid that surfaces the grants most likely to widen access. It does not resolve bindings, it does not understand every custom resource, and it does not enforce policy. Always read the full manifest, and keep using your policy-as-code tooling if your team has one.
- Is the Kubernetes RBAC verb matrix free?
- Yes. It is free to use and does not require an account.
Use this again tomorrow
Save this page so it's one tap away when you need a quick result.
Take a 2-minute brain break.
Play Daily Challenge on sts.games