GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cyberark → kubernetes-rbac-audit

cyberark / kubernetes-rbac-audit

Licence: Apache-2.0 license
Tool for auditing RBACs in Kubernetes

Programming Languages

python
139335 projects - #7 most used programming language

ExtensiveRoleCheck

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles. The tool is a part of the "Kubernetes Pentest Methdology" blog post series.

usage: ExtensiveRoleCheck.py [-h] [--clusterRole CLUSTERROLE] [--role ROLE]  
                           [--rolebindings ROLEBINDINGS]  
                           [--cluseterolebindings CLUSETEROLEBINDINGS]

Overview

Status: Alpha

The RBAC API is a set of roles that administrators can configure to limit access to the Kubernetes resources. The ExtensiveRoleCheck automates the searching process and outputs the risky roles and rolebindings found in the RBAC API.

Requirements:

ExtensiveRoleCheck requires python3

ExtensiveRoleCheck works in offline mode. This means that you should first export the following JSON from your Kubernetes cluster configuration:

  • Roles
  • ClusterRoles
  • RoleBindings
  • ClusterRoleBindings

To export those files you will need access permissions in the Kubernetes cluster. To export them, you might use the following commands: Export RBAC Roles:

kubectl get roles --all-namespaces -o json > Roles.json

Export RBAC ClusterRoles:

kubectl get clusterroles -o json > clusterroles.json

Export RBAC RolesBindings:

kubectl get rolebindings --all-namespaces -o json > rolebindings.json

Export RBAC Cluster RolesBindings:

kubectl get clusterrolebindings -o json > clusterrolebindings.json

example & output:

Usage

python ExtensiveRoleCheck.py --clusterRole clusterroles.json  --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json

Output example

Maintainers:

Or Ida: [email protected]

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].