rbac-audit

command module

v0.0.0-...-a6cfa0a Latest Latest Go to latest Published: Jun 14, 2021 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/imjasonh/rbac-audit

Links

Open Source Insights

README ¶

`rbac-audit`

Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more!

This repo contains scripts to start a KinD cluster configured to keep audit logs for API resource access. You can run e2e tests against this cluster to exercise your system, then run main.go to generate a readable RBAC policy for your controller's service account.

The tools generate two RBAC policies:

A namespaced Role for the namespace the controller runs inside, consisting of requests for resources in that SA's namespace
A cluster-scoped ClusterRole for any resources accessed outside of the controller namespace.

Caveats

Only API requests made during e2e tests are considered; you have written comprehensive e2e tests, right? ...Right?!
It's an early demo, not yet generalized for any system.
This is hacky, buggy software. Don't rely on it for anything mission-critical. Manually inspect the diff and use your human brain.

Examples

Tekton Pipelines

./kind_audit_cluster.sh       # setup cluster
./tekton-e2e.sh               # run e2e tests
go run ./ > tekton-rbac.yaml  # generate RBAC policy

See tekton-rbac.yaml

Shipwright Build and other systems

By default, the tools track access by the tekton-pipelines-controller SA, in the tekton-pipelines namespace.

You can override these with args to ./kind_audit_cluster.sh and main.go:

./kind_audit_cluster.sh shipwright-build shipwright-build-controller
./shipwright-e2e.sh  # run e2e tests
go run ./ \
    --namespace shipwright-build \
    --serviceaccount shipwright-build-controller > shipwright-rbac.yaml

See shipwright-rbac.yaml

Known Issues

The OwnerReferencesPermissionEnforcement admission controller requires additional permissions to be able to set OwnerReferences on objects, which rbac-audit won't detect. If your controller sets OwnerReferences, especially with blockOwnerDeletion, and you expect to have this admission controller enabled, take this into consideration.

TODO

attempt to further limit policies to only resourceNames that are accessed
concisely diff two policies to determine gaps (canonicalizing RBAC rule YAMLs)
generate Markdown from RBAC policies to easily communicate permissions to users
replicate audit2rbac's awesome demo
have kind_audit_cluster.sh replace your previous kubeconfig when it's done with the cluster

Acknowledgements

This work is heavily inspired by https://github.com/liggitt/audit2rbac, though I didn't know about it when I started writing this. That repo has a fantastic demo video.

This wouldn't be possible without KinD. ❤️

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL