search

DataDog / KubeHound

Kubernetes Attack Graph
https://kubehound.io
Apache License 2.0
705 stars 39 forks source link

2/3 attacks on role bind #134

Closed jt-dd closed 8 months ago

jt-dd commented 9 months ago

Everything has been documented in the ROLE_BIND.md file, but in a nutshell, the role bind attack has been divided in 4 parts:

Usecase # Coverage Description
1 Full N/A
2 Limited All the PermissionSet that are not namespaced are linked to a single specific namespace. Yet, this attack allow to bind a role to any namespace. Therefore, we would need to create additional PermissionSet for every namespace if we want to fully cover the attack
3 Full N/A
4 None To cover this usecase, we need duplicate a non-namespaced PermissionSet to a namespace one.
d0g0x01 commented 9 months ago

Need to update the docs with more details on the attack as discussed

jt-dd commented 9 months ago

I think there is some logic missing in the role_bind_namespace case

For me it checks both at the same time. You prefer one check for each ?

d0g0x01 commented 9 months ago

I think there is some logic missing in the role_bind_namespace case

For me it checks both at the same time. You prefer one check for each ?

where does it check the RBAC condition? I might be missing it but I dont see it?

d0g0x01 commented 8 months ago

can you run this against a large clustrer e.g gizmo to verify the performance impact?