Skip to content

liggitt/audit2rbac

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Demo Video

User Instructions

  1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

    • The log must be in JSON format. This requires running an API server with an --audit-policy-file defined. See documentation for more details.
    • audit.k8s.io/v1, audit.k8s.io/v1beta1 and audit.k8s.io/v1alpha1 events are supported.
    • The Metadata log level works best to minimize log size.
    • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
    • A sample audit policy and a sample audit log containing requests from alice, bob, and the service account ns1:sa1 is available.
  2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

    • Specify a normal user with --user <username>
    • Specify a service account with --serviceaccount <namespace>:<name>
  3. Run audit2rbac, capturing the output:

    audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
    audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
    audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml
  4. Inspect the output to verify the generated roles/bindings:

    more alice-roles.yaml
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      labels:
        audit2rbac.liggitt.net/generated: "true"
        audit2rbac.liggitt.net/user: alice
      name: audit2rbac:alice
      namespace: ns1
    rules:
    - apiGroups:
      - ""
      resources:
      - configmaps
      - pods
      - secrets
      verbs:
      - get
      - list
      - watch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      labels:
        audit2rbac.liggitt.net/generated: "true"
        audit2rbac.liggitt.net/user: alice
      name: audit2rbac:alice
      namespace: ns1
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: audit2rbac:alice
    subjects:
    - apiGroup: rbac.authorization.k8s.io
      kind: User
      name: alice
  5. Load the generated roles/bindings:

    kubectl create -f roles.yaml
    
    role "audit2rbac:alice" created
    rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

  • Go 1.17+

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install