Too wide permissions given #26

Cajga · 2023-10-04T10:12:51Z

First of all, thanks for the tool, it is really helpful.

We are working on RBAC rules that allow our users to generate kubernetes configs out of long living API tokens using a script. This script issues the following API request to determine a list of secrets in a given namespace:

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "08c32d69-9410-4475-8d69-7e57ccd6f9a0",
  "stage": "RequestReceived",
  "requestURI": "/api/v1/namespaces/infra/secrets?limit=500",
  "verb": "list",
  "user": {
    "username": "redacted",
    "groups": [
      "aad:dfe1dbdbredacted",
      "aad:8d8309beredacted",
      "system:authenticated"
    ]
  },
  "sourceIPs": [
    "192.168.0.1"
  ],
  "userAgent": "kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799",
  "objectRef": {
    "resource": "secrets",
    "namespace": "infra",
    "apiVersion": "v1"
  },
  "requestReceivedTimestamp": "2023-10-04T09:50:02.575962Z",
  "stageTimestamp": "2023-10-04T09:50:02.575962Z"
}

But for this audit2rbac generates a role that allows more verbs (including get) for the secrets:

# echo '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"08c32d69-9410-4475-8d69-7e57ccd6f9a0","stage":"RequestReceived","requestURI":"/api/v1/namespaces/infra/secrets?limit=500","verb":"list","user":{"username":"redacted","groups":["aad:dfe1dbdbredacted","aad:8d8309beredacted","system:authenticated"]},"sourceIPs":["192.168.0.1"],"userAgent":"kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799","objectRef":{"resource":"secrets","namespace":"infra","apiVersion":"v1"},"requestReceivedTimestamp":"2023-10-04T09:50:02.575962Z","stageTimestamp":"2023-10-04T09:50:02.575962Z"}'| audit2rbac --filename - --user redacted
Opening audit source...
Loading events...
Evaluating API calls...
Generating roles...
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.10.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: redacted
  name: audit2rbac:redacted
  namespace: infra
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.10.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: redacted
  name: audit2rbac:redacted
  namespace: infra
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:redacted
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: redacted
Complete!

Are these verbs really required for this API call? Can you please explain what is the reason behind?

The text was updated successfully, but these errors were encountered:

liggitt · 2023-10-04T11:09:37Z

list already exposes all the content of all the secrets. get and watch are more efficient and common ways to retrieve a subset of the secrets or maintain an up to date view of updates to the secrets. If you have list permission, get and watch don't expose more data.

This expansion is defined here:

audit2rbac/pkg/process.go

Line 39 in 9b0b898

"list": []string{"get", "watch"},

There are a few other default expansions defined as well.

Cajga · 2023-10-04T11:13:59Z

@liggitt, thank you for the explanation.

liggitt closed this as completed Oct 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Too wide permissions given #26

Too wide permissions given #26

Cajga commented Oct 4, 2023

liggitt commented Oct 4, 2023

Cajga commented Oct 4, 2023

Too wide permissions given #26

Too wide permissions given #26

Comments

Cajga commented Oct 4, 2023

liggitt commented Oct 4, 2023

Cajga commented Oct 4, 2023