Autogenerate RBAC policies based on Kubernetes audit logs
audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.
Obtain a Kubernetes audit log containing all the API requests you expect your user to perform:
--audit-policy-file
defined. See documentation for more details.audit.k8s.io/v1
, audit.k8s.io/v1beta1
and audit.k8s.io/v1alpha1
events are supported.Metadata
log level works best to minimize log size.alice
, bob
, and the service account ns1:sa1
is available.Identify a specific user you want to scan for audit events for and generate roles and role bindings for:
--user <username>
--serviceaccount <namespace>:<name>
Run audit2rbac
, capturing the output:
audit2rbac -f https://git.io/v51iG --user alice > alice-roles.yaml
audit2rbac -f https://git.io/v51iG --user bob > bob-roles.yaml
audit2rbac -f https://git.io/v51iG --serviceaccount ns1:sa1 > sa1-roles.yaml
Inspect the output to verify the generated roles/bindings:
more alice-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
audit2rbac.liggitt.net/generated: "true"
audit2rbac.liggitt.net/user: alice
name: audit2rbac:alice
namespace: ns1
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
audit2rbac.liggitt.net/generated: "true"
audit2rbac.liggitt.net/user: alice
name: audit2rbac:alice
namespace: ns1
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: audit2rbac:alice
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alice
Load the generated roles/bindings:
kubectl create -f roles.yaml
role "audit2rbac:alice" created
rolebinding "audit2rbac:alice" created
Requirements:
To build and install from source:
go get -d github.com/liggitt/audit2rbac
cd $GOPATH/src/github.com/liggitt/audit2rbac
git fetch --tags
make install-deps
make install