Role-based access control (RBAC) in general is an approach to restricting system access to authorized users. Kubernetes role-based access control system is considered to be complex and hard to digest by many technology professionals. In the following article, we are going to explore Kubernetes ecosystem tools like Kubiscan and Kubescape that helps  Cybersecurity professional and Kubernetes administrators to scan and evaluate RBAC. In the following scenarios, we will deploy the Google Kubernetes Engine GKE cluster and analyze its role-based access control by KubiScan and Kubescape. Prerequisites In the following scenario we will use Google Cloud and its managed Kubernetes cluster. However, you can scan RBAC model of any Kubernetes cluster using Linux machine with kubectl access to the cluster. GCP account Enable API for Google Kubernetes Engine APIs Create a GKE cluster For deployment of the cluster, we will use cloud shell and gcloud cli. Set up project ID for gcloud cli: gcloud config set project PROJECT_ID Following command will create cluster in the us-west1 region: gcloud container clusters create-auto my-test-cluster \
    --region=us-west1 It should take a few minutes to spin up the cluster Configure kubectl access with the following command: gcloud container clusters get-credentials my-test-cluster  \
    --region us-west1 KubiScan is the open-source tool for scanning Kubernetes clusters for risky permissions in K8s RBAC (role-based access control) authorization model. KubiScan was created and maintained by CyberArk. KubiScan Installation It can be run using a docker container or as a python script. For this tutorial, we will use Python3. On your Linux machine, run the following commands to install KubiScan prerequisites: apt-get update  
apt-get install -y python3 python3-pip 
pip3 install -r requirements.txt For convenience, you can set up an alias to run the kubiscan python script: alias kubiscan='python3 /<KubiScan_folder>/KubiScan.py' If you want the alias to persist, add it to the .bashrc or .profile file in your user's home directory. Scan With KubiScan we can search for pods with privileged accounts: kubiscan -rp In the output we can see pod in the namespace is marked with CRITICAL priority. gmp-operator gke-gmp-system The following command will list risky subjects in your cluster: kubiscan -rs To get information about all privileged Pods\Containers running in your Kubernetes cluster, run the following command: kubiscan --privleged-pods To get as much information as possible, you can run the command. It will output “Risky Containers”, “Risky Users”, “Risky Roles and ClusterRoles”, “Risky RoleBindings and ClusterRoleBindings” tables. kubiscan --all kubiscan --all KubiScan also allows you to list all pods with access to secret data through a Volume or environment variables: kubiscan --pods-secrets-env
kubiscan -psv You can find many more useful KubiScan commands in the “help” menu: kubiscan -h How KubiScan works In the KubiScan repository, you can find the file that contains opinionated templates for risky roles with priorities. KubiScan checks if the cluster roles match the rules from the risky role and mark it accordingly in the output spreadsheet. risky_roles.yaml You can modify the file to add\remove role templates that would be more appropriate in your environment. Kubescape Kubescape is an open-source swiss tool that provides RBAC visualizer, image vulnerability scanning risk analysis, and security compliance.
Kubescape can detect RBAC violations, software vulnerabilities, and misconfigurations at the early stages of the CI/CD pipeline calculates risk score instantly and shows risk trends over time.
It has native integrations with DevOps tools like CircleCi, Jenkins, GitLab CI\CD, GitHub Actions, etc. Kubescape was built and maintained by ARMO. Kubescape has comprehensive docs available here Installation There are a few ways you can install Kubescape on Linux: install script binary from GitHub release page as a cluster component using helm It is also available on Mac and Windows. To quickly setup KubeScape on Linux with the install script, run the following command: curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash Scan With the Kubescape ready, we can go ahead and scan the cluster: kubescape scan Kubescape assess your cluster by different parameters, not only role based access control. You can see which control passed and failed. It will also demonstrate which resource failed in each test In terms of RBAC, Kubescape helps simplifying Kubernetes role base access control complexity by providing a visual graph that shows the RBAC configuration in your K8s cluster. There are lots of built-in queries of useful things you need to be aware of in your RBAC configuration available out of the box. To use the Kubescape RBAC visualizer, you need to set up a free account. All scan results can be submitted to the platform. Kubescape Cloud Platform Once you create the account, you can navigate to the “RBAC visualizer” in the left menu and copy the account ID.
By running a scan with the account ID parameter, it will send all scan results to the Cloud Platform. kubescape scan --submit --account=[account-id] If you want to use just RBAC visualizer capabilities, and send only RBAC-related data, you can use the command below: kubescape submit rbac --account [account-id] In the Kubescape Cloud, navigate to the “RBAC Visualizer“ on the left menu. In the pop-up menu select your k8s cluster. After that, you should be able to see your cluster RBAC visualized. You can change the view using built-in queries and select “layout by type”: Group by verbs: The following built-in query can show “who-can exec into pods”: If you don’t want your scan results to be submitted to ARMO, you should add --keep-local flag if you used the command before. This way you can get output printed in the console. Scan results can also be outputted in JSON, PDF, HTML, and many other formats, which is really convenient for CI\CD pipelines and automation. --submit Kubescape custom framework Kubescape allows you to scan your cluster against popular frameworks like NSA, MITRE, CIS, and others. It also allows you to create your custom framework. There are tens of controls available to be used in any framework. Each control tests a certain aspect of the cluster. We can set up a custom framework that will check only RBAC-related things. To do that, navigate to the Configuration scanning in the left menu, select “Frameworks”, and click on “Customize your own Framework”. Specify “Framework Name”.  Then, search and select RBAC-related controls using the “Search” section. Once ready, click “Apply”. Once the custom RBAC framework is set up in the cloud platform, we can run a scan using kubescape cli: kubescape scan framework rbac Each line in the spreadsheet represents control. In the “Failed resources” column, you can see the amount of failed resources. Remediation and link to the documentation could be found in the console output if you add the flag. --verbose kubescape scan framework rbac -v In the output, you can see the URL which will redirect you to the scan result in the Kubescape Cloud. You can see the suggested remediation action in the “Remediation” column. In the “Resources” section, you will see a list of all your cluster resources. If you click on the small “tool” icon at the right of the “EndpointSlice” line, it will redirect to the YAML definition of the resource with highlighted lines that failed the control. In this example, CIS-5.7.4 control complaining about the default namespace. As you can see, Kubescape provides really detailed suggested remediation action along with additional documentation to make a weighted decision about the risk it found. Summary We explored 2 instruments that could be used by Kubernetes Administrators or Cyber security professionals to analyze and assess the role-based access control (RBAC) of the Kubernetes cluster. KubiScan is a dedicated tool for RBAC analysis that could be easily customizable using file. On the other hand, we have Kubescape which provides a much more comprehensive analysis of the K8s cluster beside RBAC with a fancy Kubescape cloud platform and RBAC visualizer. Kubescape got a bigger community and  is better maintained, it has integration with different platforms and popular DevOps tools. risky_roles.yaml From my perspective, Kubescape is the go-to tool for assessing the Kubernetes cluster and understanding its role-based access control. However, if you only need to scan the K8s RBAC model against a particular template or rule without anything else, you should try KubiScan.

Google

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Scan Kubernetes RBAC with Kubescape and Kubiscan

Too Long; Didn't Read

Company Mentioned

Viachaslau Matsukevich

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Scan Kubernetes RBAC with Kubescape and Kubiscan

Too Long; Didn't Read

Company Mentioned

Viachaslau Matsukevich

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES