kubectl |
- List all resources and sub resources that can be constrained with RBAC
kubectl get --raw /openapi/v2 | jq '.paths | keys[]'
|
rbac-tool |
- A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity (
viz /analysis /lookup /who-can /policy-rules /auditgen /gen )
|
kubectl-can-i |
- To find out if you can perform a verb on a resource
- Also use Kubernetes' Impersonation API to see if another account is able to access a resource
- Usage:
- Find out if you can perform a verb on a resource:
$ kubectl auth can-i get pods - Confirm that you've been given cluster-admin permissions:
$ kubectl auth can-i "*" "*" - List all the actions you can perform in a namespace:
$ kubectl auth can-i --list --namespace=secure - Impersonation: take the Service Account named "
unprivileged-service-account " (scoped to the "secure " namespace) and see if it has access to get pods: $ kubectl auth can-i get pod --as system:serviceaccount:secure:unprivileged-service-account
|
kubectl-who-can |
- Show who has permissions to
<verb> <resources> in kubernetes - Usage:
- See who has access to a secret ("
cluster-admin-creds " in the "secure " namespace):
$ kubectl who-can get secret cluster-admin-creds -n secure
|
Rakkess |
- Show an access matrix for k8s server resources
- Ideal for looking at a
ServiceAccount object and trying to determine what it has access to - Usage:
- Dump what your account has access to:
$ kubectl access-matrix - Look at what a particular Service Account can access:
$ kubectl access_matrix --as system:serviceaccount:secure:unprivileged-service-account -n secure
|
rback |
- RBAC in Kubernetes visualizer
- Queries all RBAC related information and generates a graph representation of service accounts, (cluster) roles, and the respective access rules
- Usage:
$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback > result.dot $ dot -Tpng results.dot > /tmp/rback.png && open /tmp/rback.png
 |
rbac-view |
- Visualize Kubernetes RBAC rules
- Usage:
$ kubectl rbac-view
# serving RBAC View and http://localhost:8800
|
kubiscan |
- Scan for risky permissions and users in RBAC
- Can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker
- Usage:
- Run from MASTER node:
docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD] - Search for pods with privileged accounts:
kubiscan -rp - Show all risky subjects (users, service accounts, groups):
kubiscan -rs - Show all the rules a service account has:
kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount" - List service account RoleBindings:
kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"
|
rbac-lookup |
- Find Kubernetes roles and cluster roles bound to any user, service account, or group name
- Usage:
rbac-lookup rob --output wide
|
kubectl-rolesum |
- Summarize RBAC roles for the specified subject (ServiceAccount, User and Group)
- Usage:
kubectl rolesum -k Group developer
|
kubernetes-rbac-audit |
- Scans the Kubernetes RBAC for risky roles
- Usage:
python ExtensiveRoleCheck.py --clusterRole clusterroles.json --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json
|
krane |
- RBAC static Analysis & visualisation tool
- Usage:
krane report -k <context>
|
sa-hunter |
- Correlates
serviceaccounts , pods and nodes to the permissions granted to them via rolebindings and clusterrolesbindings
|