Kubernetes: Search for rule granting certain action

kubernetes role clusterrole rule lookup

3 min read | by Jordi Prats

To be able to audit access permissions of users un a Kubernetes cluster we might be interested in searching for Roles or ClusterRoles that grants access to a certain object:

For example, if we want to identify which Roles in a certain namespace or ClusterRoles are allowing create of ConfigMap objects.

To do so we'll need to list all the ClusterRoles and Roles within and then look at all it's rules for one that matches this criteria. We can install the golang version from the releases page in github.

Below you'll find how much of a difference would it make to implement this functionality using a bash script, python and golang.

Bash script + python

We are going to use a bash script that uses kubectl to list all the Roles that we need to check, and then let a python script check for rules that match the criteria.

This script takes around 8 minutes to list all the matching roles:

$ time bash bash rule-lookup.sh demo-ns create configmaps ""
(...)
real  8m20.793s
user  2m13.657s
sys 2m50.060s

Python script

We can rewrite the bash script to python to improve the execution time, a pure python script takes around 2 seconds:

$ time python3 rule-lookup.py --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m2.575s
user  0m0.612s
sys 0m0.117s
$ time python3 rule-lookup.py --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m2.310s
user  0m0.737s
sys 0m0.215s
$ time python3 rule-lookup.py --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m2.053s
user  0m0.662s
sys 0m0.163s

Golang with go run

If we use a go run to execute the golang version it takes about the same time it takes to run the python script:

$ time go run rule-lookup.go --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m2.809s
user  0m1.135s
sys 0m0.562s
$ time go run rule-lookup.go --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m1.835s
user  0m1.123s
sys 0m0.501s
$ time go run rule-lookup.go --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m1.849s
user  0m1.124s
sys 0m0.492s

Compiled Golang

If we compile this golang version with go build rule-lookup.go we can get better results, taking somewhere between 1 second and half a second:

$ time ./rule-lookup --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m1.034s
user  0m0.115s
sys 0m0.049s
$ time ./rule-lookup --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m0.478s
user  0m0.105s
sys 0m0.028s
$ time ./rule-lookup --namespace demo-ns --verb create --resource configmaps --api-group ""
(...)
real  0m0.449s
user  0m0.100s
sys 0m0.024s

Posted on 27/02/2023

Categories