search

PaloAltoNetworks / rbac-police

Evaluate the RBAC permissions of Kubernetes identities through policies written in Rego
https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms
MIT License
339 stars 35 forks source link

Auto discover relevant admission controllers & feature gates #5

Closed yuvalavra closed 2 years ago

yuvalavra commented 2 years ago

As mentioned in #2 and #3, some security-related admission controllers and feature gates may prevent certain attacks. Because those are configured on the control plane, they cannot be retrieved via k8s API.

Add an auto-discovery mode that relies on impersonation & dry-run write operations to figure out which relevant feature gates & admission controller are enabled. Populate rbacDB.metadata with those for policies to consume.

Flag description should clearly document that in this mode rbac-police does some dry-run write operations.

yuvalavra commented 2 years ago

Add docs when done

yuvalavra commented 2 years ago

Done in #7