search

DataDog / managed-kubernetes-auditing-toolkit

All-in-one auditing toolkit for identifying common security issues in managed Kubernetes environments. Currently supports Amazon EKS.
Apache License 2.0
319 stars 18 forks source link

Implement stronger policy evaluation logic #2

Closed christophetd closed 1 year ago

christophetd commented 1 year ago

closes #1 closes #4

The initial mkat version was doing basic string matching to figure out if a specific pod could assume a specific role. In this PR I implemented a more robust IAM evaluation engine, including support for StringLike and StringEquals on condition keys.

Then, the main logic is:

  1. Iterate over all the (namespace, service account, IAM roles)
  2. Evaluate the role trust policy against the relevant authorization context (see https://github.com/DataDog/managed-kubernetes-auditing-toolkit/blob/aws-policy-evaluation/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships/roles_resolver.go#L96-L111)
  3. If the decision is Allow, then consider that the pod can assume that role