Skip to content
/ audit2rbac Public

Autogenerate RBAC policies based on Kubernetes audit logs

License

View license
1.1k stars 80 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

liggitt/audit2rbac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
build
build
 
 
cmd/audit2rbac
cmd/audit2rbac
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
glide.lock
glide.lock
 
 
glide.yaml
glide.yaml
 
 

Repository files navigation

audit2rbac

Overview

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

audit2rbac is in the nascent stages of development, and will change internal and external interfaces before a stable release.

User Instructions

  1. Obtain a Kubernetes audit log containing all the API requests you expect your user to perform
    • The log must be in JSON format (requires running an API server with --feature-gates=AdvancedAudit=true and a --audit-policy-file defined... see documentation for more details)
    • v1alpha1 or v1beta1 audit events are supported
    • The Metadata log level works best to minimize log size
    • To exercise all API calls, it is sometimes necessary to grant broad access to a user or application to avoid short-circuiting code paths on failed API requests. This should be done cautiously, ideally in a development environment.
  2. Identify a specific user you want to generate roles for. This can be a normal user with a username like bob or a service account with a username like system:serviceaccount:my-namespace:my-service-account.
  3. Run audit2rbac, capturing the output 
    audit2rbac --filename audit.log --user system:serviceaccount:my-namespace:my-user > roles.yaml

Loading events...............................................
Evaluating API calls...
Generating roles...
Complete!
  4. Inspect the output to verify the generated roles/bindings: 
    more roles.yaml 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: my-user
  name: audit2rbac:my-user
rules:
- apiGroups:
...
  5. Load the generated roles/bindings: 
    kubectl create -f roles.yaml

clusterrole "audit2rbac:my-user" created
clusterrolebinding "audit2rbac:my-user" created
role "audit2rbac:my-user" created
rolebinding "audit2rbac:my-user" created

Developer Instructions

Requirements:

  • Go 1.8+
  • Glide 0.12.3+

To download, install dependencies, and build:

go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make

About

Autogenerate RBAC policies based on Kubernetes audit logs

Topics

kubernetes openshift audit authorization rbac

Resources

Readme

License

View license
Activity

Stars

1.1k stars

Watchers

34 watching

Forks

80 forks
Report repository

Releases 10

v0.10.0 Latest
Feb 8, 2023
+ 9 releases

Packages

No packages published

Languages