rbac-police

Evaluate the RBAC permissions of serviceaccounts, pods and nodes in Kubernetes clusters through policies written in Rego
kubernetes-security
kubernetes-rbac
kubernetes
prisma-cloud
rbac
security

rbac-police

Retrieve the RBAC permissions of serviceAccounts, pods and nodes in a Kubernetes cluster, and evaluate them using policies written in Rego.

The default policy library includes ~20 policies that identify serviceAccounts, pods and nodes that possess risky permissions, each detecting a different attack path. See the Recommendations section here for advice on addressing powerful permissions in Kubernetes clusters.

Quick Start

  1. Clone the repository:

    git clone https://github.com/PaloAltoNetworks/rbac-police && cd rbac-police
    
  2. Either install rbac-police from a release:

    OS=linux  # OS=darwin
    ARCH=amd64  # ARCH=arm64
    LATEST_TAG=$(curl -s https://api.github.com/repos/PaloAltoNetworks/rbac-police/releases/latest | jq -r '.tag_name')
    curl -L -o rbac-police "https://github.com/PaloAltoNetworks/rbac-police/releases/download/${LATEST_TAG}/rbac-police_${LATEST_TAG}_${OS}_${ARCH}" && chmod +x rbac-police
    

    Or build it with Golang>=1.16:

    go build
    
  3. Connect kubectl to a Kubernetes cluster.

  4. Evaluate RBAC permissions and identify privilege escalation paths in your cluster using the default policy library:

    ./rbac-police eval lib/
    

Usage

Set severity threshold

Only evaluate policies with a severity equal to or higher than a threshold.

./rbac-police eval lib/ -s High

Scope to a namespace

Collect and evaluate RBAC permssions in a certain namespace.

./rbac-police eval lib/ -n production

Only alert on SAs that exist on all nodes

Only consider violations from service accounts that exist on all nodes. Useful for identifying violating DaemonSets.

./rbac-police eval lib/ --only-sas-on-all-nodes

Discover protections

Improve accuracy by identifying security-related features gates and admission controllers that can protect against certain attacks. Please note that NodeRestriction is identified by impersonating a node and dry-run creating a pod, which may be logged by some systems.

./rbac-police eval lib/ -w

Ignore control plane

Ignore control plane pods and nodes in clusters that host the control plane.

./rbac-police eval lib/ --ignore-controlplane

Nodes don't use NodeAuthorizer

Specify a custom user used by nodes in clusters that don't use the NodeAuthorizer.

./rbac-police eval lib/ --node-user=nodeclient

Collect once for multiple evaluations

./rbac-police collect -o rbacDb.json
./rbac-police eval lib/ rbacDb.json -s Critical
./rbac-police eval lib/ rbacDb.json --only-sas-on-all-nodes

Manually inspect RBAC permissions

./rbac-police expand

Or:

./rbac-police collect -o rbacDb.json
./rbac-police expand rbacDb.json

Documentation

Media Mentions

Radiohead:

rbac-police, I've given all I can. It's not enough...

N.W.A:

rbac-police comin' straight from the underground!

Developer Sites

Social


Copyright © 2022 Palo Alto Networks, Inc. All rights reserved.