NotificationsYou must be signed in to change notification settings
Fork38
Star343

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego

www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms

License

MIT license

343 stars 38 forks Branches Tags Activity

Star

Notifications

You must be signed in to change notification settings

Branches Tags

Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 50 Commits
.github/workflows		.github/workflows
cmd		cmd
docs		docs
lib		lib
pkg		pkg
utils		utils
.gitignore		.gitignore
.goreleaser.yaml		.goreleaser.yaml
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
SUPPORT.md		SUPPORT.md
go.mod		go.mod
go.sum		go.sum
main.go		main.go

Repository files navigation

rbac-police

Retrieve the RBAC permissions of Kubernetes identities - service accounts, pods, nodes, users and groups - and evaluate them using policies written in Rego.

Thepolicy library includes over 20 policies that detect identities possessing risky permissions, each alerting on a different attack path.

Quick Start

Clone the repository:

git clone https://github.com/PaloAltoNetworks/rbac-police&&cd rbac-police

Either installrbac-police from a release:

OS=linux# OS=darwinARCH=amd64# ARCH=arm64LATEST_TAG=$(curl -s https://api.github.com/repos/PaloAltoNetworks/rbac-police/releases/latest| jq -r'.tag_name')curl -L -o rbac-police"https://github.com/PaloAltoNetworks/rbac-police/releases/download/${LATEST_TAG}/rbac-police_${LATEST_TAG}_${OS}_${ARCH}"&& chmod +x rbac-police

Or build it withGolang>=1.16:

go build

Connectkubectl to a Kubernetes cluster.
Evaluate RBAC permissions and identify privilege escalation paths in your cluster using the default policy library:
```
./rbac-police eval lib/
```
Inspect the permissions of violating principals and identify the Roles and ClusterRoles granting them risky privileges. See the Recommendations sectionhere for remediation advice.
```
./rbac-police expand -z sa=production-ns:violating-sa
```

Usage

Set severity threshold

Only evaluate policies with a severity equal to or higher than a threshold.

./rbac-police eval lib/ -s High

Inspect the permissions of specific identities

./rbac-police expand -z sa=kube-system:metrics-server./rbac-police expand -z user=example@email.com./rbac-police expand # all identities

Discover protections

Improve accuracy by considering features gates and admission controllers that can protect against certain attacks. Note thatNodeRestriction is identified by impersonating a node anddry-run creating a pod, which may be logged by some systems.

./rbac-police eval lib/ -w

Configure violation types

Control which identities are evaluated for violations, default aresa,node,combined (seepolicies.md for more information).

./rbac-police eval lib/ --violations sa,user./rbac-police eval lib/ --violations all # sa,node,combined,user,group

Note that by default,rbac-police only looks into service accounts assigned to a pod. Use-a to include all service accounts.

Scope to a namespace

Only look into service accounts and pods from a certain namespace.

./rbac-police eval lib/ -n production

Only SAs that exist on all nodes

Only alert on service accounts that exist on all nodes. Useful for identifying violating DaemonSets.

./rbac-police eval lib/ --only-sas-on-all-nodes

Ignore control plane

Ignore control plane pods and nodes in clusters that host the control plane.

./rbac-police eval lib/ --ignore-controlplane

Collect once for multiple evaluations

./rbac-police collect -o rbacDb.json./rbac-police eval lib/ rbacDb.json -s High./rbac-police eval lib/ rbacDb.json -s Medium --only-sas-on-all-nodes./rbac-police expand rbacDb.json -z sa=ns:violating-sa