Giters

Codegazers / rbac-audit

Generate K8s RBAC policies based on e2e test runs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

rbac-audit

Have you ever wondered whether your controller actually needs all the permissions it has granted to it? Wonder no more!

This repo contains scripts to start a KinD cluster configured to keep audit logs for API resource access. You can run e2e tests against this cluster to exercise your system, then run main.go to generate a readable RBAC policy for your controller's service account.

The tools generate two RBAC policies:

  1. A namespaced Role for the namespace the controller runs inside, consisting of requests for resources in that SA's namespace
  2. A cluster-scoped ClusterRole for any resources accessed outside of the controller namespace.

Caveats

  • Only API requests made during e2e tests are considered; you have written comprehensive e2e tests, right? ...Right?!
  • It's an early demo, not yet generalized for any system.
  • This is hacky, buggy software. Don't rely on it for anything mission-critical. Manually inspect the diff and use your human brain.

Examples

Tekton Pipelines

./kind_audit_cluster.sh       # setup cluster
./tekton-e2e.sh               # run e2e tests
go run ./ > tekton-rbac.yaml  # generate RBAC policy

See tekton-rbac.yaml

Shipwright Build and other systems

By default, the tools track access by the tekton-pipelines-controller SA, in the tekton-pipelines namespace.

You can override these with args to ./kind_audit_cluster.sh and main.go:

./kind_audit_cluster.sh shipwright-build shipwright-build-controller
./shipwright-e2e.sh  # run e2e tests
go run ./ \
    --namespace shipwright-build \
    --serviceaccount shipwright-build-controller > shipwright-rbac.yaml

See shipwright-rbac.yaml

TODO

  • attempt to further limit policies to only resourceNames that are accessed
  • concisely diff two policies to determine gaps (canonicalizing RBAC rule YAMLs)
  • generate Markdown from RBAC policies to easily communicate permissions to users
  • replicate audit2rbac's awesome demo
  • have kind_audit_cluster.sh replace your previous kubeconfig when it's done with the cluster

Acknowledgements

This work is heavily inspired by https://github.com/liggitt/audit2rbac, though I didn't know about it when I started writing this. That repo has a fantastic demo video.

This wouldn't be possible without KinD. ❤️

About

Generate K8s RBAC policies based on e2e test runs

License:Apache License 2.0

Languages

Language:Go 73.2%Language:Shell 26.8%