octarinesec / Kubectl Rbac
Licence: mit
Stars: ✭ 32
Programming Languages
python
139335 projects - #7 most used programming language
Kubernetes RBAC plugin
Overview
This purpose of this plugin is to help kubernetes admin interact with RBAC (Role-Based Access Control) and fine-tune permissions for users and service-accounts on pods.
You can take a look at the blogpost where we go through basic concepts of RBAC and motiviation for this tool
Installation
This tool can used as a standalone tool or k8s plugin. You can read about Kubernetes Plugin framework here.
cd ~/.kube/
mkdir plugins
cd plugins
git clone [email protected]:octarinesec/kubectl-rbac.git \
&& cd kubectl-rbac && virtualenv -p python3.6 venv && source venv/bin/activate && pip install -r requirements.txt
Example & Usage
Help
kubectl plugin rbac --help
Output:
Inspect RBAC related properties
Available Commands:
get-audited-permissions Get used permissions as audited in the audit-log
get-permissions Get permissions for user
get-roles Get roles for user
Usage:
kubectl plugin rbac [options]
Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).
Get Permissions for user/service-account
kubectl plugin rbac get-permissions [email protected]
Output
[[{'apiGroups': [''],
'resources': ['clusterrolebindings',
'clusterroles',
'roles',
'rolebindings'],
'verbs': ['list']
},
{'apiGroups': [''],
'resources': ['clusterroles', 'clusterrolebindings'],
'verbs': ['get']
}]]
Get roles (cluster-roles and roles) for user/service-account
kubectl plugin rbac get-roles [email protected]
Output
['octarine-role:[email protected]']
Get used permissions for user from audit-log
This assumes the audit log is enabled for the data you would like to analyze.
- k8s Documentation.
- Google Cloud specific documentation.
kubectl plugin rbac get-audited-permissions [email protected] kubectl_rbac/tests/audit_log.json
Output
{...
'rbac.authorization.k8s.io/v1/clusterroles/system:basic-user': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
'rbac.authorization.k8s.io/v1/clusterroles/system:certificates.k8s.io:certificatesigningrequests:nodeclient': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
'rbac.authorization.k8s.io/v1/clusterroles/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
'rbac.authorization.k8s.io/v1/clusterroles/system:controller:attachdetach-controller': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
'rbac.authorization.k8s.io/v1/namespaces/default/rolebindings': {'io.k8s.authorization.rbac.v1.rolebindings.list'},
'rbac.authorization.k8s.io/v1/namespaces/default/roles': {'io.k8s.authorization.rbac.v1.roles.list'}}
Get least privilege yaml for specific user based on the audit log
kubectl plugin rbac get-least-privilege [email protected] kubectl_rbac/tests/audit_log.json
Output
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: octarine:[email protected]
namespace: default
rules:
- apiGroups:
- ''
resources:
- clusterroles
- clusterrolebindings
- rolebindings
- roles
verbs:
- list
- apiGroups:
- ''
resources:
- clusterroles
- clusterrolebindings
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: octarine:[email protected]
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: octarine:[email protected]
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: [email protected]
You can pipe this output to roles.yaml and run bash kubectl -f create roles.yaml
Get unused privileges for specific user based on the audit log
kubectl plugin rbac get-unused-permissions [email protected] kubectl_rbac/tests/audit_log.json
Output
{'create': set(),
'delete': set(),
'get': set(),
'list': set(),
'patch': set(),
'update': set(),
'watch': set()}
We can see that our user is configured properly and he has the least privilege permissions
Testing
nosetests
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].