Idea: RBAC visibility — access review + cluster-wide summary

[nadaverell]

Problem

Radar already renders individual Roles and RoleBindings well — you can inspect a specific role, see its verbs and resources, and browse its subjects. But there are two common RBAC workflows it does not support:

1. "Does this service account actually have permission to do X?"

This is the most frequent RBAC debugging question. The answer requires reading multiple roles and bindings across potentially several namespaces and mentally joining them. It is tedious and error-prone to do by hand.

2. "Who has access to what across this cluster?"

There is no way in Radar today to get a synthesized view of all bindings — which subjects have which roles, at what scope. You have to browse individual RoleBinding and ClusterRoleBinding resources one at a time.

Idea

Access review checker

A simple form where you specify:

• A subject (user, group, or service account)
• A verb (get, create, delete, ...)
• A resource (pods, secrets, ...)
• An optional namespace

And Radar tells you: allowed or denied, with the reasoning from the API.

This is backed by the Kubernetes SubjectAccessReview and LocalSubjectAccessReview APIs — a single API call, no additional RBAC required beyond what Radar already uses.

Cluster-wide RBAC summary

A dedicated view that aggregates all RoleBindings and ClusterRoleBindings into a searchable, filterable table: who has what role, at what scope, expandable to show the actual permission rules. Useful for security reviews and audits.

Why it matters

These fill the gap between "I can see the RBAC resources" and "I can reason about RBAC in my cluster." The access review checker in particular is a concrete debugging tool for a question that comes up constantly when services start returning 403s.