{"id":13564011,"url":"https://github.com/liggitt/audit2rbac","last_synced_at":"2025-04-12T22:19:52.309Z","repository":{"id":37444592,"uuid":"103004444","full_name":"liggitt/audit2rbac","owner":"liggitt","description":"Autogenerate RBAC policies based on Kubernetes audit logs","archived":false,"fork":false,"pushed_at":"2023-02-11T07:11:26.000Z","size":206,"stargazers_count":1072,"open_issues_count":11,"forks_count":80,"subscribers_count":34,"default_branch":"master","last_synced_at":"2024-10-29T20:50:56.484Z","etag":null,"topics":["audit","authorization","kubernetes","openshift","rbac"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/liggitt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-09-10T04:50:35.000Z","updated_at":"2024-10-26T01:34:33.000Z","dependencies_parsed_at":"2024-01-07T06:03:29.790Z","dependency_job_id":"0de75599-bc6b-45f7-b279-f687e9b415b6","html_url":"https://github.com/liggitt/audit2rbac","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liggitt%2Faudit2rbac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liggitt%2Faudit2rbac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liggitt%2Faudit2rbac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/liggitt%2Faudit2rbac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/liggitt","download_url":"https://codeload.github.com/liggitt/audit2rbac/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248638233,"owners_count":21137633,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["audit","authorization","kubernetes","openshift","rbac"],"created_at":"2024-08-01T13:01:25.526Z","updated_at":"2025-04-12T22:19:52.276Z","avatar_url":"https://github.com/liggitt.png","language":"Go","funding_links":[],"categories":["Go","Инструменты","Open Source Projects","Security","Tools"],"sub_categories":["Безопасность Kubernetes","Kubernetes"],"readme":"# audit2rbac\n\n## Overview\n\naudit2rbac takes a [Kubernetes audit log](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) and username as input, and generates [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) role and binding objects that cover all the API requests made by that user.\n\n* [Latest release, pre-built binaries](https://github.com/liggitt/audit2rbac/releases/latest)\n* [All releases](https://github.com/liggitt/audit2rbac/releases)\n\n## Demo Video\n\n\u003ca href=\"https://youtu.be/n2cD20moYe8\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/980082/33801800-892ce3fc-dd34-11e7-8d91-906cdc025812.png\"\u003e\u003c/a\u003e\n\n## User Instructions\n\n1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:\n    * The log must be in JSON format. This requires running an API server with an `--audit-policy-file` defined. See [documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#advanced-audit) for more details.\n    * `audit.k8s.io/v1`, `audit.k8s.io/v1beta1` and `audit.k8s.io/v1alpha1` events are supported.\n    * The `Metadata` log level works best to minimize log size.\n    * To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.\n    * A [sample audit policy](testdata/demo-policy.yaml) and a [sample audit log](testdata/demo.log) containing requests from `alice`, `bob`, and the service account `ns1:sa1` is available.\n2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:\n    * Specify a normal user with `--user \u003cusername\u003e`\n    * Specify a service account with `--serviceaccount \u003cnamespace\u003e:\u003cname\u003e`\n3. Run `audit2rbac`, capturing the output:\n    ```sh\n    audit2rbac -f https://git.io/v51iG --user alice             \u003e alice-roles.yaml\n    audit2rbac -f https://git.io/v51iG --user bob               \u003e bob-roles.yaml\n    audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 \u003e sa1-roles.yaml\n    ```\n4. Inspect the output to verify the generated roles/bindings:\n    ```sh\n    more alice-roles.yaml\n    ```\n\n    ```yaml\n    apiVersion: rbac.authorization.k8s.io/v1\n    kind: Role\n    metadata:\n      labels:\n        audit2rbac.liggitt.net/generated: \"true\"\n        audit2rbac.liggitt.net/user: alice\n      name: audit2rbac:alice\n      namespace: ns1\n    rules:\n    - apiGroups:\n      - \"\"\n      resources:\n      - configmaps\n      - pods\n      - secrets\n      verbs:\n      - get\n      - list\n      - watch\n    ---\n    apiVersion: rbac.authorization.k8s.io/v1\n    kind: RoleBinding\n    metadata:\n      labels:\n        audit2rbac.liggitt.net/generated: \"true\"\n        audit2rbac.liggitt.net/user: alice\n      name: audit2rbac:alice\n      namespace: ns1\n    roleRef:\n      apiGroup: rbac.authorization.k8s.io\n      kind: Role\n      name: audit2rbac:alice\n    subjects:\n    - apiGroup: rbac.authorization.k8s.io\n      kind: User\n      name: alice\n    ```\n5. Load the generated roles/bindings:\n    ```sh\n    kubectl create -f roles.yaml\n\n    role \"audit2rbac:alice\" created\n    rolebinding \"audit2rbac:alice\" created\n    ```\n\n## Developer Instructions\n\nRequirements:\n* Go 1.17+\n\nTo build and install from source:\n```sh\ngo get -d github.com/liggitt/audit2rbac\ncd $GOPATH/src/github.com/liggitt/audit2rbac\ngit fetch --tags\nmake install-deps\nmake install\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliggitt%2Faudit2rbac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fliggitt%2Faudit2rbac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fliggitt%2Faudit2rbac/lists"}