0

audit2rbac

Autogenerate RBAC policies based on Kubernetes audit logs

Github repo
Main metrics

Github stars Tracking Chart

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Demo Video

User Instructions

  1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

    • The log must be in JSON format. This requires running an API server with --feature-gates=AdvancedAudit=true and an --audit-policy-file defined. See documentation for more details.
    • audit.k8s.io/v1, audit.k8s.io/v1beta1 and audit.k8s.io/v1alpha1 events are supported.
    • The Metadata log level works best to minimize log size.
    • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
    • A sample audit policy and a sample audit log containing requests from alice, bob, and the service account ns1:sa1 is available.

  2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

    • Specify a normal user with --user <username>
    • Specify a service account with --serviceaccount <namespace>:<name>

  3. Run audit2rbac, capturing the output:

    audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

  4. Inspect the output to verify the generated roles/bindings:

    more alice-roles.yaml

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:alice
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice

  5. Load the generated roles/bindings:

    kubectl create -f roles.yaml

role "audit2rbac:alice" created
rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

  • Go 1.13.x

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install

Main metrics

Overview
Name With Ownerliggitt/audit2rbac
Primary LanguageGo
Program languageMakefile (Language Count: 3)
Platform
License:Other
所有者活动
Created At2017-09-10 04:50:35
Pushed At2023-02-11 07:11:26
Last Commit At2023-02-08 13:39:50
Release Count11
Last Release Namev0.10.0 (Posted on )
First Release Namev0.0.0 (Posted on 2017-09-11 01:05:05)
用户参与
Stargazers Count1.1k
Watchers Count33
Fork Count82
Commits Count58
Has Issues Enabled
Issues Count23
Issue Open Count10
Pull Requests Count0
Pull Requests Open Count1
Pull Requests Close Count1
项目设置
Has Wiki Enabled
Is Archived
Is Fork
Is Locked
Is Mirror
Is Private