audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

• Latest release, pre-built binaries
• All releases

Demo Video

User Instructions

1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:

   • The log must be in JSON format. This requires running an API server with an --audit-policy-file defined. See documentation for more details.
   • audit.k8s.io/v1, audit.k8s.io/v1beta1 and audit.k8s.io/v1alpha1 events are supported.
   • The Metadata log level works best to minimize log size.
   • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
   • A sample audit policy and a sample audit log containing requests from alice, bob, and the service account ns1:sa1 is available.

2. Identify a specific user you want to scan for audit events for and generate roles and role bindings for:

   • Specify a normal user with --user <username>
   • Specify a service account with --serviceaccount <namespace>:<name>

3. Run audit2rbac, capturing the output:

   audit2rbac -f https://git.io/v51iG --user alice             > alice-roles.yaml
   audit2rbac -f https://git.io/v51iG --user bob               > bob-roles.yaml
   audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml

4. Inspect the output to verify the generated roles/bindings:

   more alice-roles.yaml

   apiVersion: rbac.authorization.k8s.io/v1
   kind: Role
   metadata:
     labels:
       audit2rbac.liggitt.net/generated: "true"
       audit2rbac.liggitt.net/user: alice
     name: audit2rbac:alice
     namespace: ns1
   rules:
   - apiGroups:
     - ""
     resources:
     - configmaps
     - pods
     - secrets
     verbs:
     - get
     - list
     - watch
   ---
   apiVersion: rbac.authorization.k8s.io/v1
   kind: RoleBinding
   metadata:
     labels:
       audit2rbac.liggitt.net/generated: "true"
       audit2rbac.liggitt.net/user: alice
     name: audit2rbac:alice
     namespace: ns1
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: Role
     name: audit2rbac:alice
   subjects:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: alice

5. Load the generated roles/bindings:

   kubectl create -f roles.yaml
   
   role "audit2rbac:alice" created
   rolebinding "audit2rbac:alice" created

Developer Instructions

Requirements:

• Go 1.17+

To build and install from source:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install