0

audit2rbac

Autogenerate RBAC policies based on Kubernetes audit logs

Github 資源庫
主要指標

Github星跟蹤圖

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Demo Video

User Instructions

  1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

    • The log must be in JSON format. This requires running an API server with --feature-gates=AdvancedAudit=true and an --audit-policy-file defined. See documentation for more details.
    • audit.k8s.io/v1, audit.k8s.io/v1beta1 and audit.k8s.io/v1alpha1 events are supported.
    • The Metadata log level works best to minimize log size.
    • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
    • A sample audit policy and a sample audit log containing requests from alice, bob, and the service account ns1:sa1 is available.

  2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

    • Specify a normal user with --user <username>
    • Specify a service account with --serviceaccount <namespace>:<name>

  3. Run audit2rbac, capturing the output:

    audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

  4. Inspect the output to verify the generated roles/bindings:

    more alice-roles.yaml

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:alice
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice

  5. Load the generated roles/bindings:

    kubectl create -f roles.yaml

role "audit2rbac:alice" created
rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

  • Go 1.13.x

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install

主要指標

概覽
名稱與所有者liggitt/audit2rbac
主編程語言Go
編程語言Makefile (語言數: 3)
平台
許可證Other
所有者活动
創建於2017-09-10 04:50:35
推送於2023-02-11 07:11:26
最后一次提交2023-02-08 13:39:50
發布數11
最新版本名稱v0.10.0 (發布於 )
第一版名稱v0.0.0 (發布於 2017-09-11 01:05:05)
用户参与
星數1.1k
關注者數33
派生數82
提交數58
已啟用問題?
問題數23
打開的問題數10
拉請求數0
打開的拉請求數1
關閉的拉請求數1
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?