Auditing Kubernetes RBAC Permissions
Overview
Kubernetes Role-Based Access Control (RBAC) auditing systematically reviews roles, cluster roles, bindings, and service account permissions to identify overly permissive access, privilege escalation paths, and violations of least-privilege principles. Tools like rbac-tool, KubiScan, and rakkess automate discovery of dangerous permission combinations.
Prerequisites
- Kubernetes cluster with RBAC enabled (default since 1.6)
- kubectl with cluster-admin access for full audit
- rbac-tool, rakkess, or KubiScan installed
Core Concepts
RBAC Components
| Resource | Scope | Purpose |
|---|---|---|
| Role | Namespace | Grants permissions within a namespace |
| ClusterRole | Cluster | Grants permissions cluster-wide |
| RoleBinding | Namespace | Binds Role/ClusterRole to subjects in namespace |
| ClusterRoleBinding | Cluster | Binds ClusterRole to subjects cluster-wide |
Dangerous Permission Combinations
| Permission | Risk | Impact |
|---|---|---|
| Critical | Equivalent to cluster-admin |
| create pods | High | Can deploy privileged pods |
| create pods/exec | High | Can exec into any pod |
| get secrets | High | Can read all secrets |
| create clusterrolebindings | Critical | Can escalate to cluster-admin |
| impersonate users | Critical | Can act as any user |
| escalate on roles | Critical | Can grant permissions beyond own |
| bind on roles | High | Can create new role bindings |
Implementation Steps
Step 1: Enumerate All RBAC Resources
# List all ClusterRoles
kubectl get clusterroles -o name | wc -l
kubectl get clusterroles --no-headers | grep -v "system:"
# List all ClusterRoleBindings
kubectl get clusterrolebindings -o wide
# List all Roles per namespace
kubectl get roles -A
# List all RoleBindings per namespace
kubectl get rolebindings -A -o wide
# Export all RBAC for offline analysis
kubectl get clusterroles,clusterrolebindings,roles,rolebindings -A -o yaml > rbac-export.yamlStep 2: Identify Wildcard Permissions
# Find ClusterRoles with wildcard verbs on all resources
kubectl get clusterroles -o json | jq -r '
.items[] |
select(.rules[]? |
(.verbs | index("*")) and
(.resources | index("*"))
) |
.metadata.name'
# Find roles that can create pods
kubectl get clusterroles -o json | jq -r '
.items[] |
select(.rules[]? |
(.verbs | index("create") or index("*")) and
(.resources | index("pods") or index("*"))
) |
.metadata.name'
# Find roles that can read secrets
kubectl get clusterroles -o json | jq -r '
.items[] |
select(.rules[]? |
(.verbs | index("get") or index("list") or index("*")) and
(.resources | index("secrets") or index("*"))
) |
.metadata.name'Step 3: Check Service Account Permissions
# List all service accounts
kubectl get serviceaccounts -A
# Check permissions for default service accounts
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do
echo "=== $ns/default ==="
kubectl auth can-i --list --as=system:serviceaccount:$ns:default 2>/dev/null | grep -v "no"
done
# Check for service accounts with cluster-admin
kubectl get clusterrolebindings -o json | jq -r '
.items[] |
select(.roleRef.name == "cluster-admin") |
{binding: .metadata.name, subjects: [.subjects[]? | {kind, name, namespace}]}'Step 4: Use rbac-tool for Automated Analysis
# Install rbac-tool
kubectl krew install rbac-tool
# Visualize RBAC
kubectl rbac-tool viz --outformat dot | dot -Tpng > rbac-graph.png
# Find who can perform specific actions
kubectl rbac-tool who-can get secrets -A
kubectl rbac-tool who-can create pods -A
kubectl rbac-tool who-can '*' '*'
# Analyze all permissions
kubectl rbac-tool analysis
# Generate RBAC policy report
kubectl rbac-tool auditgen > rbac-audit.yamlStep 5: Check for Privilege Escalation Paths
# Check if any role can escalate privileges
kubectl get clusterroles -o json | jq -r '
.items[] |
select(.rules[]? |
(.verbs | index("escalate") or index("bind") or index("impersonate")) and
(.resources | index("clusterroles") or index("roles") or index("clusterrolebindings") or index("rolebindings") or index("users") or index("groups") or index("serviceaccounts"))
) |
.metadata.name'
# Check for impersonation permissions
kubectl get clusterroles -o json | jq -r '
.items[] |
select(.rules[]? |
(.verbs | index("impersonate"))
) |
{name: .metadata.name, rules: .rules}'Step 6: Audit with KubiScan
# Install KubiScan
pip install kubiscan
# Find risky roles
kubiscan --risky-roles
# Find risky ClusterRoles
kubiscan --risky-clusterroles
# Find risky subjects
kubiscan --risky-subjects
# Find pods with risky service accounts
kubiscan --risky-pods
# Full report
kubiscan --allValidation Commands
# Verify specific permission
kubectl auth can-i create pods --as=system:serviceaccount:default:myapp
# Check all permissions for a user
kubectl auth can-i --list --as=developer@example.com
# Validate RBAC with kubescape
kubescape scan framework nsa --controls-config rbac-controls.json
# Test least privilege
kubectl auth can-i delete nodes --as=system:serviceaccount:app:web-server
# Expected: noCompliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC7.1 (Monitoring), CC8.1 (Change Management)
- ISO 27001: A.14.2 (Secure Development), A.12.6 (Technical Vulnerability Mgmt)
- NIST 800-53: CM-7 (Least Functionality), SI-2 (Flaw Remediation), SC-28 (Protection at Rest)
- NIST CSF: PR.IP (Information Protection), PR.DS (Data Security)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add auditing-kubernetes-rbac-permissions
# Or load dynamically via MCP
grc.load_skill("auditing-kubernetes-rbac-permissions")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.