GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → liggitt → Audit2rbac

liggitt / Audit2rbac

Licence: other
Autogenerate RBAC policies based on Kubernetes audit logs

Programming Languages

go
31211 projects - #10 most used programming language

Labels

kubernetesauthorizationopenshiftrbacaudit

Projects that are alternatives of or similar to Audit2rbac

Yosai
A Security Framework for Python applications featuring Authorization (rbac permissions and roles), Authentication (2fa totp), Session Management and an extensive Audit Trail
Stars: ✭ 582 (-17.09%)
Mutual labels:  authorization, rbac
Athenz
Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures. Athenz supports provisioning and configuration (centralized authorization) use cases as well as serving/runtime (decentralized authorization) use cases.
Stars: ✭ 570 (-18.8%)
Mutual labels:  authorization, rbac
rbac-react-redux-aspnetcore
A starter template for creating JWT token from ASP.NET Core API project and applying that JWT token authentication on React application
Stars: ✭ 54 (-92.31%)
Mutual labels:  authorization, rbac
react-rbac-ui-manager
react-rbac-ui-manager is a simple RBAC (Role Based Access Control) user interface library based on the material design system using the Material-UI lib.
Stars: ✭ 73 (-89.6%)
Mutual labels:  authorization, rbac
Kubiscan
A tool to scan Kubernetes cluster for risky permissions
Stars: ✭ 659 (-6.13%)
Mutual labels:  authorization, rbac
casbin-ex
An authorization library that supports access control models like ACL, RBAC, ABAC in Elixir
Stars: ✭ 37 (-94.73%)
Mutual labels:  authorization, rbac
sequelize-adapter
Sequelize adapter for Casbin
Stars: ✭ 51 (-92.74%)
Mutual labels:  authorization, rbac
lua-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Lua (OpenResty)
Stars: ✭ 43 (-93.87%)
Mutual labels:  authorization, rbac
Casbin Rs
An authorization library that supports access control models like ACL, RBAC, ABAC in Rust.
Stars: ✭ 375 (-46.58%)
Mutual labels:  authorization, rbac
Gorm Adapter
Gorm adapter for Casbin
Stars: ✭ 373 (-46.87%)
Mutual labels:  authorization, rbac
Casbin.net
An authorization library that supports access control models like ACL, RBAC, ABAC in .NET (C#)
Stars: ✭ 535 (-23.79%)
Mutual labels:  authorization, rbac
Wetech Admin
wetech-admin是基于Spring Boot 2.0+Mybatis+Vue的轻量级后台管理系统,适用于中小型项目的管理后台,支持按钮级别的权限控制,系统具有最基本的用户管理、角色管理、权限管理等通用性功能,企业或个人可直接在此基础上进行开发,扩展,添加各自的需求和业务功能!
Stars: ✭ 570 (-18.8%)
Mutual labels:  authorization, rbac
objection-authorize
isomorphic, "magical" authorization integration with Objection.js 🎉
Stars: ✭ 71 (-89.89%)
Mutual labels:  authorization, rbac
speedle-plus
Speedle+ is an open source project for access management. It is based on Speedle open source project and maintained by previous Speedle maintainers.
Stars: ✭ 45 (-93.59%)
Mutual labels:  authorization, rbac
dart-casbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Dart/Flutter
Stars: ✭ 30 (-95.73%)
Mutual labels:  authorization, rbac
Casbin4D
An authorization library that supports access control models like ACL, RBAC, ABAC in Delphi
Stars: ✭ 25 (-96.44%)
Mutual labels:  authorization, rbac
rbac-tool
Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query
Stars: ✭ 546 (-22.22%)
Mutual labels:  authorization, rbac
deflek
index and API RBAC for Elasticsearch and Kibana via reverse proxy. DEPRECATED
Stars: ✭ 13 (-98.15%)
Mutual labels:  authorization, rbac
caddy-authorize
Authorization Plugin for Caddy v2 (JWT/PASETO)
Stars: ✭ 235 (-66.52%)
Mutual labels:  authorization, rbac
Rbac Lookup
Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster
Stars: ✭ 477 (-32.05%)
Mutual labels:  authorization, rbac
View All Similar Projects ➔

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Demo Video

User Instructions

  1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

    • The log must be in JSON format. This requires running an API server with an --audit-policy-file defined. See documentation for more details.
    • audit.k8s.io/v1, audit.k8s.io/v1beta1 and audit.k8s.io/v1alpha1 events are supported.
    • The Metadata log level works best to minimize log size.
    • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
    • A sample audit policy and a sample audit log containing requests from alice, bob, and the service account ns1:sa1 is available.

  2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

    • Specify a normal user with --user <username>
    • Specify a service account with --serviceaccount <namespace>:<name>

  3. Run audit2rbac, capturing the output:

    audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

  4. Inspect the output to verify the generated roles/bindings:

    more alice-roles.yaml

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:alice
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice

  5. Load the generated roles/bindings:

    kubectl create -f roles.yaml

role "audit2rbac:alice" created
rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

  • Go 1.13.x

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].