Last updated at Tue, 20 Aug 2024 19:47:50 GMT
Kubernetes Role-Based Access Control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within your organization. RBAC authorization uses the rbac.authorization.k8s.io API group to drive authorization decisions, allowing you to dynamically configure policies through the Kubernetes API. This is all quite useful, but Kubernetes RBAC is often viewed as complex and not very user-friendly.
Introducing Your Swiss Army Knife for RBAC Controls
InsightCloudSec’s RBAC tool is an all-in-one open-source tool for analyzing Kubernetes RBAC policies and simplifying any complexities associated with Kubernetes RBAC.
InsightCloudSec’s RBAC tool significantly simplifies querying, analyzing, and generating RBAC policies. It is available as a standalone tool or as a kubectl Krew Plugin.
Visualize Cluster RBAC Policies and Usage
A Kubernetes RBAC command can be used to analyze cluster policies and how they are being used and generate a simple relationship graph.
By default, rbac-tool viz
will connect to the local cluster (pointed by kubeconfig) and create a RBAC graph of the actively running workload on all namespaces except kube-system.
Examples
# Scan the cluster pointed by the kubeconfig context 'myctx'
rbac-tool viz --cluster-context myctx
# Scan and create a PNG image from the graph
rbac-tool viz --outformat dot --exclude-namespaces=soemns && cat rbac.dot | dot -Tpng > rbac.png && google-chrome rbac.png
Analyze Risky RBAC Permission
The command rbac-tool analysis
analyzes RBAC permissions and highlights overly permissive principals, risky permissions, or any specific permissions that are not desired by cluster operators.
The command allows the use of a custom analysis rule set, as well as the ability to define custom exceptions (global and per-rule), and can integrate into deployment tools such as GitOps and automation analysis tasks in order to detect undesired permission changes, unexpected drifts, or risky roles.
Examples
# Analyze the cluster pointed by the kubeconfig context 'myctx' with the internal analysis rule set
rbac-tool analysis --cluster-context myctx
Query Who Can Perform Certain Kubernetes API Actions
The command rbac-tool who-can
enables operators to simply query which subjects/principals are allowed to perform a certain action based on the presently configured RBAC policies.
Examples
# Who can read ConfigMap resources
rbac-tool who-can get configmaps
# Who can watch Deployments
rbac-tool who-can watch deployments.apps
# Who can read the Kubernetes API endpoint /apis
rbac-tool who-can get /apis
# Who can read a secret resource by the name some-secret
rbac-tool who-can get secret/some-secret
A Flat and Simple View of RBAC Permissions
The command rbac-tool policy-rules
aggregates the policies and relationships from the various RBAC resources, and provides a flat view of the allowed permissions for any given User/ServiceAccount/Group.
Examples
# List policy rules for system unauthenticated group
rbac-tool policy-rules -e '^system:unauth'
Output:
Generate RBAC Policies Easily
Kubernetes RBAC lacks the notion of denying semantics, which means generating an RBAC policy that says “Allow everything except THIS” is not as straightforward as one would imagine.
Here are some examples that capture how rbac-tool generate
can help:
- Generate a
ClusterRole
policy that allows users to read everything except secrets and services - Generate a
Role
policy that allows create, update, get, list (read/write) everything except Secrets, Services, Ingresses, and NetworkPolicies - Generate a
Role
policy that allows create, update, get, list (read/write) everything except StatefulSets
Command Line Examples
Examples generated against Kubernetes cluster v1.16 deployed using KIND:
# Generate a ClusterRole policy that allows users to read everything except secrets and services
rbac-tool gen --deny-resources=secrets.,services. --allowed-verbs=get,list
# Generate a Role policy that allows create, update, get, list (read/write) everything except Secrets, Services, NetworkPolicies in core,Apps and networking.k8s.io API groups
rbac-tool gen --generated-type=Role --deny-resources=secrets.,services.,networkpolicies.networking.k8s.io --allowed-verbs=* --allowed-groups=,extensions,apps,networking.k8s.i
# Generate a Role policy that allows create, update, get, list (read/write) everything except StatefulSets
rbac-tool gen --generated-type=Role --deny-resources=apps.statefulsets --allowed-verbs=*
Example output
# Generate a Role policy that allows create, update, get, list (read/write) everything except Secrets, Services, NetworkPolicies in core,Apps & networking.k8s.io API groups
rbac-tool gen --generated-type=Role --deny-resources=secrets.,services.,networkpolicies.networking.k8s.io --allowed-verbs=* --allowed-groups=,extensions,apps,networking.k8s.io
Output:
Another useful policy generation command is rbac-tool auditgen
, which can generate RBAC policy from Kubernetes audit events.
Learn more about how InsightCloudSec can help secure your cloud and multi-cloud environments.
Get StartedConclusion
InsightCloudSec’s RBAC tool fills various gaps that exist in the Kubernetes native tools, and addresses common RBAC-related use cases. This RBAC tool is an all-in-one solution that helps practitioners to perform RBAC analysis, querying, and policy curation.
You’ve got your full Swiss army knife now—what are you waiting for?
Check out this link for more information and a step-by-side installation guide.