Skip to content

PalindromeLabs/kubernetes-rbac-audit

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

47 Commits

.gitignore

.gitignore

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

ExtensiveRoleCheck.py

ExtensiveRoleCheck.py

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

get_all_roles_and_bindings.sh

get_all_roles_and_bindings.sh

 
 

output-example.png

output-example.png

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

ExtensiveRoleCheck

ExtensiveRoleCheck is a Python tool that scans the Kubernetes RBAC for risky roles.

usage: ExtensiveRoleCheck.py [-h] [--clusterRole CLUSTERROLE] [--role ROLE] [--rolebindings ROLEBINDINGS] [--clusterrolebindings CLUSTERROLEBINDINGS] [--pods PODS]
                             [--outputjson [OUTPUTJSON]]

optional arguments:
  -h, --help            show this help message and exit
  --clusterRole CLUSTERROLE
                        ClusterRoles JSON file
  --role ROLE           roles JSON file
  --rolebindings ROLEBINDINGS
                        RoleBindings JSON file
  --clusterrolebindings CLUSTERROLEBINDINGS
                        ClusterRoleBindings JSON file
  --pods PODS           pods JSON file
  --outputjson [OUTPUTJSON]
                        Produce json files with audit report

Overview

Status: Alpha

The RBAC API is a set of roles that administrators can configure to limit access to the Kubernetes resources. The ExtensiveRoleCheck automates the searching process and outputs the risky roles and rolebindings found in the RBAC API.

Requirements:

ExtensiveRoleCheck requires python3

ExtensiveRoleCheck works in offline mode. This means that you should first export the following JSON from your Kubernetes cluster configuration:

  • Roles
  • ClusterRoles
  • RoleBindings
  • ClusterRoleBindings
  • Pods

To export those files you will need access permissions in the Kubernetes cluster. To export them, you might use the following commands: (NOTE: The --all-namespaces argument is optional)

Export RBAC Roles:

kubectl get roles --all-namespaces -o json > Roles.json

Export RBAC ClusterRoles:

kubectl get clusterroles -o json > clusterroles.json

Export RBAC RolesBindings:

kubectl get rolebindings --all-namespaces -o json > rolebindings.json

Export RBAC Cluster RolesBindings:

kubectl get clusterrolebindings -o json > clusterrolebindings.json

Export Pods:

kubectl get pods --all-namespaces -o json > pods.json

For OpenShift

Export RBAC Roles:

oc get roles -o json > Roles.json

Export RBAC ClusterRoles:

oc get clusterroles -o json > clusterroles.json

Export RBAC RolesBindings:

oc get rolebindings -o json > rolebindings.json

Export RBAC Cluster RolesBindings:

oc get clusterrolebindings -o json > clusterrolebindings.json

Export Pods:

oc get pods -o json > pods.json

example & output:

Usage

python3 ExtensiveRoleCheck.py --clusterRole clusterroles.json  --role Roles.json --rolebindings rolebindings.json --clusterrolebindings clusterrolebindings.json --pods pods.json

Output example

Maintainers:

Palindrome Technologies - research@palindrometech.com

About

Tool for auditing RBACs in Kubernetes

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Languages

  • Python 96.5%
  • Shell 3.5%