audit2rbac

module

v0.5.0 Latest Latest Go to latest Published: Dec 10, 2017 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jpweber/audit2rbac

Links

Open Source Insights

README ¶

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Demo Video

User Instructions

Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:
- The log must be in JSON format. This requires running an API server with --feature-gates=AdvancedAudit=true and an --audit-policy-file defined. See documentation for more details.
- v1alpha1 or v1beta1 audit events are supported.
- The Metadata log level works best to minimize log size.
- To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
- A sample log containing requests from alice, bob, and the service account ns1:sa1 is available.
Identify a specific user you want to scan for audit events for and generate roles and role bindings for:
- Specify a normal user with --user <username>
- Specify a service account with --serviceaccount <namespace>:<name>

Run audit2rbac, capturing the output:

audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

Inspect the output to verify the generated roles/bindings:

more alice-roles.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: null
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: null
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: alice
  name: audit2rbac:alice
  namespace: ns1
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:alice
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: alice

Load the generated roles/bindings:

kubectl create -f roles.yaml

role "audit2rbac:alice" created
rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

Go 1.8+
Glide 0.12.3+

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install

Directories ¶

Path	Synopsis
cmd
audit2rbac
pkg

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL