Kubernetes RBAC plugin

Overview

This purpose of this plugin is to help kubernetes admin interact with RBAC (Role-Based Access Control) and fine-tune permissions for users and service-accounts on pods.

You can take a look at the blogpost where we go through basic concepts of RBAC and motiviation for this tool

Installation

This tool can used as a standalone tool or k8s plugin. You can read about Kubernetes Plugin framework here.

cd ~/.kube/
mkdir plugins
cd plugins
git clone [email protected]:octarinesec/kubectl-rbac.git \
    && cd kubectl-rbac && virtualenv -p python3.6 venv && source venv/bin/activate && pip install -r requirements.txt

Example & Usage

Help

kubectl plugin rbac --help

Output:

Inspect RBAC related properties

Available Commands:
  get-audited-permissions Get used permissions as audited in the audit-log
  get-permissions         Get permissions for user
  get-roles               Get roles for user

Usage:
  kubectl plugin rbac [options]

Use "kubectl <command> --help" for more information about a given command.
Use "kubectl options" for a list of global command-line options (applies to all commands).

Get Permissions for user/service-account

kubectl plugin rbac get-permissions [email protected]

Output

[[{'apiGroups': [''],
  'resources': ['clusterrolebindings',
                'clusterroles',
                'roles',
                'rolebindings'],
  'verbs': ['list']
  },
 {'apiGroups': [''],
  'resources': ['clusterroles', 'clusterrolebindings'],
  'verbs': ['get']
  }]]

Get roles (cluster-roles and roles) for user/service-account

kubectl plugin rbac get-roles [email protected]

Output

['octarine-role:[email protected]']

Get used permissions for user from audit-log

This assumes the audit log is enabled for the data you would like to analyze.

• k8s Documentation.
• Google Cloud specific documentation.

kubectl plugin rbac get-audited-permissions [email protected] kubectl_rbac/tests/audit_log.json

Output

 {...
 'rbac.authorization.k8s.io/v1/clusterroles/system:basic-user': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
 'rbac.authorization.k8s.io/v1/clusterroles/system:certificates.k8s.io:certificatesigningrequests:nodeclient': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
 'rbac.authorization.k8s.io/v1/clusterroles/system:certificates.k8s.io:certificatesigningrequests:selfnodeclient': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
 'rbac.authorization.k8s.io/v1/clusterroles/system:controller:attachdetach-controller': {'io.k8s.authorization.rbac.v1.clusterroles.get'},
 'rbac.authorization.k8s.io/v1/namespaces/default/rolebindings': {'io.k8s.authorization.rbac.v1.rolebindings.list'},
 'rbac.authorization.k8s.io/v1/namespaces/default/roles': {'io.k8s.authorization.rbac.v1.roles.list'}}

Get least privilege yaml for specific user based on the audit log

kubectl plugin rbac get-least-privilege [email protected] kubectl_rbac/tests/audit_log.json

Output

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: octarine:[email protected]
  namespace: default
rules:
- apiGroups:
  - ''
  resources:
  - clusterroles
  - clusterrolebindings
  - rolebindings
  - roles
  verbs:
  - list
- apiGroups:
  - ''
  resources:
  - clusterroles
  - clusterrolebindings
  verbs:
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: octarine:[email protected]
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: octarine:[email protected]
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: [email protected]

You can pipe this output to roles.yaml and run bash kubectl -f create roles.yaml

Get unused privileges for specific user based on the audit log

kubectl plugin rbac get-unused-permissions [email protected] kubectl_rbac/tests/audit_log.json

Output

{'create': set(),
 'delete': set(),
 'get': set(),
 'list': set(),
 'patch': set(),
 'update': set(),
 'watch': set()}

We can see that our user is configured properly and he has the least privilege permissions

Testing

nosetests