Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cyberark/kubernetes-rbac-audit

Tool for auditing RBACs in Kubernetes
https://github.com/cyberark/kubernetes-rbac-audit

Last synced: 7 days ago
JSON representation

Tool for auditing RBACs in Kubernetes

Host: GitHub
URL: https://github.com/cyberark/kubernetes-rbac-audit
Owner: cyberark
License: apache-2.0
Created: 2019-08-06T19:37:42.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-02-05T12:58:06.000Z (11 months ago)
Last Synced: 2025-01-01T07:06:05.253Z (14 days ago)
Language: Python
Size: 108 KB
Stars: 215
Watchers: 5
Forks: 60
Open Issues: 10
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

awesome-cloud-sec - kubernetes-rbac-audit - - Tool for auditing RBACs in Kubernetes (Other Awesome Lists / Subdomain Takeover)
awesome-kubernetes-security - kubernetes-rbac-audit - Tool for auditing RBACs in Kubernetes (Open Source Projects)

README

# ExtensiveRoleCheck

`ExtensiveRoleCheck` is a Python tool that scans the Kubernetes RBAC for risky roles. The tool is a part of the "Kubernetes Pentest Methdology" blog post series.
```
usage: ExtensiveRoleCheck.py [-h] [--clusterRole CLUSTERROLE] [--role ROLE]
[--rolebindings ROLEBINDINGS]
[--cluseterolebindings CLUSETEROLEBINDINGS]
```

## Overview

**Status**: Alpha

The RBAC API is a set of roles that administrators can configure to limit access to the Kubernetes resources. The *ExtensiveRoleCheck* automates the searching process and outputs the risky roles and rolebindings found in the RBAC API.

## Requirements:
*ExtensiveRoleCheck* requires python3

*ExtensiveRoleCheck* works in offline mode. This means that you should first export the following `JSON` from your Kubernetes cluster configuration:

- Roles
- ClusterRoles
- RoleBindings
- ClusterRoleBindings

To export those files you will need access permissions in the Kubernetes cluster. To export them, you might use the following commands:
**Export RBAC Roles:**
```
kubectl get roles --all-namespaces -o json > Roles.json
```
**Export RBAC ClusterRoles:**
```
kubectl get clusterroles -o json > clusterroles.json
```
**Export RBAC RolesBindings:**
```
kubectl get rolebindings --all-namespaces -o json > rolebindings.json
```
**Export RBAC Cluster RolesBindings:**
```
kubectl get clusterrolebindings -o json > clusterrolebindings.json
```
## example & output:
**Usage**
```
python ExtensiveRoleCheck.py --clusterRole clusterroles.json --role Roles.json --rolebindings rolebindings.json --cluseterolebindings clusterrolebindings.json
```
![Output example](https://github.com/cyberark/kubernetes-rbac-audit/blob/master/output-example.png)

## Maintainers:
Or Ida: [email protected]