Retrieve the RBAC permissions of Kubernetes identities - service accounts, pods, nodes, users and groups - and evaluate them using policies written in Rego.
The policy library includes ~20 policies that identify identities possessing risky permissions, each detecting a different attack path. See the Recommendations section here for advice on addressing powerful permissions in Kubernetes clusters.
-
Clone the repository:
git clone https://github.com/PaloAltoNetworks/rbac-police && cd rbac-police
-
Either install
rbac-police
from a release:OS=linux # OS=darwin ARCH=amd64 # ARCH=arm64 LATEST_TAG=$(curl -s https://api.github.com/repos/PaloAltoNetworks/rbac-police/releases/latest | jq -r '.tag_name') curl -L -o rbac-police "https://github.com/PaloAltoNetworks/rbac-police/releases/download/${LATEST_TAG}/rbac-police_${LATEST_TAG}_${OS}_${ARCH}" && chmod +x rbac-police
Or build it with Golang>=1.16:
go build
-
Connect
kubectl
to a Kubernetes cluster. -
Evaluate RBAC permissions and identify privilege escalation paths in your cluster using the default policy library:
./rbac-police eval lib/
Only evaluate policies with a severity equal to or higher than a threshold.
./rbac-police eval lib/ -s High
Only look into service accounts and pods from a certain namespace.
./rbac-police eval lib/ -n production
Configure which identities are evaluated for violations, default are sa,node,combined
.
./rbac-police eval lib/ --violations sa,user
./rbac-police eval lib/ --violations all # sa,node,combined,user,group
Only consider violations from service accounts that exist on all nodes. Useful for identifying violating DaemonSets.
./rbac-police eval lib/ --only-sas-on-all-nodes
Improve accuracy by identifying security-related features gates and admission controllers that can protect against certain attacks. Please note that NodeRestriction is identified by impersonating a node and dry-run creating a pod, which may be logged by some systems.
./rbac-police eval lib/ -w
Ignore control plane pods and nodes in clusters that host the control plane.
./rbac-police eval lib/ --ignore-controlplane
Specify a custom user used by nodes in clusters that don't use the NodeAuthorizer.
./rbac-police eval lib/ --node-user=nodeclient
./rbac-police collect -o rbacDb.json
./rbac-police eval lib/ rbacDb.json -s Critical
./rbac-police eval lib/ rbacDb.json --only-sas-on-all-nodes
./rbac-police expand
Or:
./rbac-police collect -o rbacDb.json
./rbac-police expand rbacDb.json
Radiohead:
rbac-police, I've given all I can. It's not enough...
N.W.A:
rbac-police comin' straight from the underground!