-
Kubernetes: Search for rule granting certain action
3 min read
To be able to audit access permissions of users un a Kubernetes cluster we might be interested in searching for Roles or ClusterRoles that grants access to a certain object:
27/02/2023
Read more... -
Synthetic ClusterRole or Role using an aggregationRule
2 min read
Having a Role or ClusterRole giving permissions to different apiGroups for different reasons makes it difficult to track and, later on, to maintain. By splitting the permissions on logical groups allows us to give predefined groups of permissions to the actual Role.
13/12/2022
Read more... -
Kubernetes - Check with RBAC: Can I...?
2 min read
When configuring RBAC permissions we might want to make sure we are configuring them correctly by checking what an user (or ServiceAccount) can do. We can use kubectl auth can-i for this.
29/11/2022
Read more... -
Run commands impersonating another user or ServiceAccount
2 min read
To be able to test permissions it can be convenient to have our own user being able to impersonate other users (and ServiceAccounts as well). To do we we'll have to use the impersonate verb as follows:
- apiGroups: [""] resources: ["users", "groups", "serviceaccounts"] verbs: ["impersonate"]22/11/2022
Read more... -
Kubernetes: Configure privilege escalation using the escalate and bind verbs
2 min read
The RBAC API prevents privilege escalation at the API level when creating or updating ClusterRole, ClusterRoleBinding, Role and RoleBinding. However, we can configure it to allow privilege escalation using the escalate and bind verbs.
15/11/2022
Read more...