Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/liggitt/audit2rbac

Autogenerate RBAC policies based on Kubernetes audit logs
https://github.com/liggitt/audit2rbac

audit authorization kubernetes openshift rbac

Last synced: 2 months ago
JSON representation

Autogenerate RBAC policies based on Kubernetes audit logs

Lists

README 

        
# audit2rbac



## Overview



audit2rbac takes a [Kubernetes audit log](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/) and username as input, and generates [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) role and binding objects that cover all the API requests made by that user.



* [Latest release, pre-built binaries](https://github.com/liggitt/audit2rbac/releases/latest)

* [All releases](https://github.com/liggitt/audit2rbac/releases)



## Demo Video






## User Instructions



1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

    * The log must be in JSON format. This requires running an API server with an `--audit-policy-file` defined. See [documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#advanced-audit) for more details.

    * `audit.k8s.io/v1`, `audit.k8s.io/v1beta1` and `audit.k8s.io/v1alpha1` events are supported.

    * The `Metadata` log level works best to minimize log size.

    * To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.

    * A [sample audit policy](testdata/demo-policy.yaml) and a [sample audit log](testdata/demo.log) containing requests from `alice`, `bob`, and the service account `ns1:sa1` is available.

2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

    * Specify a normal user with `--user `

    * Specify a service account with `--serviceaccount :`

3. Run `audit2rbac`, capturing the output:

    ```sh

    audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml

    audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml

    audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

    ```

4. Inspect the output to verify the generated roles/bindings:

    ```sh

    more alice-roles.yaml

    ```



    ```yaml

    apiVersion: rbac.authorization.k8s.io/v1

    kind: Role

    metadata:

      labels:

        audit2rbac.liggitt.net/generated: "true"

        audit2rbac.liggitt.net/user: alice

      name: audit2rbac:alice

      namespace: ns1

    rules:

    - apiGroups:

      - ""

      resources:

      - configmaps

      - pods

      - secrets

      verbs:

      - get

      - list

      - watch

    ---

    apiVersion: rbac.authorization.k8s.io/v1

    kind: RoleBinding

    metadata:

      labels:

        audit2rbac.liggitt.net/generated: "true"

        audit2rbac.liggitt.net/user: alice

      name: audit2rbac:alice

      namespace: ns1

    roleRef:

      apiGroup: rbac.authorization.k8s.io

      kind: Role

      name: audit2rbac:alice

    subjects:

    - apiGroup: rbac.authorization.k8s.io

      kind: User

      name: alice

    ```

5. Load the generated roles/bindings:

    ```sh

    kubectl create -f roles.yaml



    role "audit2rbac:alice" created

    rolebinding "audit2rbac:alice" created

    ```



## Developer Instructions



Requirements:

* Go 1.17+



To build and install from source:

```sh

go get -d github.com/liggitt/audit2rbac

cd $GOPATH/src/github.com/liggitt/audit2rbac

git fetch --tags

make install-deps

make install

```