| kubectl |
- List all resources and sub resources that can be constrained with RBAC
kubectl get --raw /openapi/v2 | jq '.paths | keys[]'
|
| rbac-tool |
- A collection of Kubernetes RBAC tools to sugar coat Kubernetes RBAC complexity (
viz/analysis/lookup/who-can/policy-rules/auditgen/gen)
|
| kubectl-can-i |
- To find out if you can perform a verb on a resource
- Also use Kubernetes' Impersonation API to see if another account is able to access a resource
- Usage:
- Find out if you can perform a verb on a resource:
$ kubectl auth can-i get pods - Confirm that you've been given cluster-admin permissions:
$ kubectl auth can-i "*" "*" - List all the actions you can perform in a namespace:
$ kubectl auth can-i --list --namespace=secure - Impersonation: take the Service Account named "
unprivileged-service-account" (scoped to the "secure" namespace) and see if it has access to get pods: $ kubectl auth can-i get pod --as system:serviceaccount:secure:unprivileged-service-account
|
| kubectl-who-can |
- Show who has permissions to
<verb> <resources> in kubernetes - Usage:
- See who has access to a secret ("
cluster-admin-creds" in the "secure" namespace):
$ kubectl who-can get secret cluster-admin-creds -n secure
|
| Rakkess |
- Show an access matrix for k8s server resources
- Ideal for looking at a
ServiceAccount object and trying to determine what it has access to - Usage:
- Dump what your account has access to:
$ kubectl access-matrix - Look at what a particular Service Account can access:
$ kubectl access_matrix --as system:serviceaccount:secure:unprivileged-service-account -n secure
|
| rback |
- RBAC in Kubernetes visualizer
- Queries all RBAC related information and generates a graph representation of service accounts, (cluster) roles, and the respective access rules
- Usage:
$ kubectl get sa,roles,rolebindings,clusterroles,clusterrolebindings --all-namespaces -o json | rback > result.dot$ dot -Tpng results.dot > /tmp/rback.png && open /tmp/rback.png
 |
| rbac-view |
- Visualize Kubernetes RBAC rules
- Usage:
$ kubectl rbac-view
# serving RBAC View and http://localhost:8800
|
| kubiscan |
- Scan for risky permissions and users in RBAC
- Can detect accounts which will expose the whole cluster if their identification (JWT token, certificate, etc.) is compromised by an attacker
- Usage:
- Run from MASTER node:
docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan [CMD] - Search for pods with privileged accounts:
kubiscan -rp - Show all risky subjects (users, service accounts, groups):
kubiscan -rs - Show all the rules a service account has:
kubiscan -aars "SANAME" -ns "default" -k "ServiceAccount" - List service account RoleBindings:
kubiscan -aarbs "SANAME" -ns "default" -k "ServiceAccount"
|
| rbac-lookup |
- Find Kubernetes roles and cluster roles bound to any user, service account, or group name
- Usage:
rbac-lookup rob --output wide
|
| kubectl-rolesum |
- Summarize RBAC roles for the specified subject (ServiceAccount, User and Group)
- Usage:
kubectl rolesum -k Group developer
|
| kubernetes-rbac-audit |
- Scans the Kubernetes RBAC for risky roles
- Usage:
python ExtensiveRoleCheck.py --clusterRole clusterroles.json --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json
|
| krane |
- RBAC static Analysis & visualisation tool
- Usage:
krane report -k <context>
|
| sa-hunter |
- Correlates
serviceaccounts, pods and nodes to the permissions granted to them via rolebindings and clusterrolesbindings
|