

misterli's Blog.

misterli's Blog.

利用k8s审计日志生成RBAC规则



利用k8s审计日志生成RBAC规则

rbac k8s

字数统计: 1.1k阅读时长: 6 min

 2021/01/06   Share

• 
• 
• 
• 
• 

简介

很多时候我们在k8s上安装服务会遇到各种各样的权限问题，有时候为某个用户或者serviceaccount对象生成一个合适的role会比较头疼，这里推荐一个工具audit2rbac，它可以根据k8s的审计日志，为指定用户或者serviceaccount对象生成它们所需要的role.

audit2rbac下载地址： https://github.com/liggitt/audit2rbac/releases

前提要求

1、集群已经开启审计日志，且日志格式为json格式，开启审计日志可以参考https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#advanced-audit

2、建议日志级别设置为Metadata，还可以减少日志大小

使用

我们这里已经开启了审计日志，这里截取一小段日志内容如下：

{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"571b8d06-aa30-4aec-87cb-7bef2ef88d18","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/longhorn-system/leases/external-resizer-driver-longhorn-io","verb":"update","user":{"username":"system:serviceaccount:longhorn-system:longhorn-service-account","uid":"cdb0a05f-170d-4f02-aeec-88af904e68f7","groups":["system:serviceaccounts","system:serviceaccounts:longhorn-system","system:authenticated"]},"sourceIPs":["172.20.166.16"],"userAgent":"csi-resizer/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"longhorn-system","name":"external-resizer-driver-longhorn-io","uid":"81766194-e2e3-4edd-83d7-788a07562b91","apiGroup":"coordination.k8s.io","apiVersion":"v1","resourceVersion":"18772044"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-01-06T03:02:52.709670Z","stageTimestamp":"2021-01-06T03:02:52.710917Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"longhorn-bind\" of ClusterRole \"longhorn-role\" to ServiceAccount \"longhorn-service-account/longhorn-system\""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"0795fecc-38ea-46d7-a27d-6e73e6a27cd8","stage":"ResponseComplete","requestURI":"/apis/coordination.k8s.io/v1/namespaces/longhorn-system/leases/driver-longhorn-io","verb":"get","user":{"username":"system:serviceaccount:longhorn-system:longhorn-service-account","uid":"cdb0a05f-170d-4f02-aeec-88af904e68f7","groups":["system:serviceaccounts","system:serviceaccounts:longhorn-system","system:authenticated"]},"sourceIPs":["172.20.166.16"],"userAgent":"csi-provisioner/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"leases","namespace":"longhorn-system","name":"driver-longhorn-io","apiGroup":"coordination.k8s.io","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2021-01-06T03:02:52.713255Z","stageTimestamp":"2021-01-06T03:02:52.713894Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"longhorn-bind\" of ClusterRole \"longhorn-role\" to ServiceAccount \"longhorn-service-account/longhorn-system\""}}

接下来我们使用audit2rbac为serviceaccount:longhorn-system:longhorn-service-account生成rbac role

[root@master-01 audit2rbac]# ./audit2rbac -f /var/log/kube-audit/audit-log.json --serviceaccount longhorn-system:longhorn-service-account > longhorn-service-account-role.yaml
Opening audit source...
Loading events......................................
Evaluating API calls...
Generating roles...
Complete!

查看一下生成的role

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.8.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: system-serviceaccount-longhorn-system-longhorn-service-account
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
  namespace: longhorn-system
rules:
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - longhorn.io
  resourceNames:
  - pvc-50b55b24-fdd4-4714-be16-49c84fea4e1c-e-4020fcd8
  resources:
  - engines/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - longhorn.io
  resourceNames:
  - node-01
  resources:
  - nodes/status
  verbs:
  - get
  - patch
  - update
- apiGroups:
  - longhorn.io
  resourceNames:
  - pvc-50b55b24-fdd4-4714-be16-49c84fea4e1c
  resources:
  - volumes/status
  verbs:
  - get
  - patch
  - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.8.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: system-serviceaccount-longhorn-system-longhorn-service-account
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - persistentvolumeclaims
  - persistentvolumes
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - longhorn.io
  resources:
  - engineimages
  - engines
  - instancemanagers
  - nodes
  - replicas
  - settings
  - volumes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - scheduling.k8s.io
  resources:
  - priorityclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - csinodes
  - storageclasses
  - volumeattachments
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.8.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: system-serviceaccount-longhorn-system-longhorn-service-account
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
  namespace: longhorn-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
subjects:
- kind: ServiceAccount
  name: longhorn-service-account
  namespace: longhorn-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    audit2rbac.liggitt.net/version: v0.8.0
  labels:
    audit2rbac.liggitt.net/generated: "true"
    audit2rbac.liggitt.net/user: system-serviceaccount-longhorn-system-longhorn-service-account
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: audit2rbac:system:serviceaccount:longhorn-system:longhorn-service-account
subjects:
- kind: ServiceAccount
  name: longhorn-service-account
  namespace: longhorn-system

原文作者：Mister Li

原文链接：https://www.lishuai.fun/2021/01/06/auto-create-rbac-role/

发表日期：January 6th 2021, 11:23:24 am

更新日期：May 3rd 2022, 11:25:55 pm

版权声明：本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

• Next Post
  扫描k8s集群中漏洞
• Previous Post
  同步secret和config到指定namespace

Powered by Hexotheme Archer

©豫ICP备19035521号

PV: :)

CATALOG

1. 1. 简介
2. 2. 前提要求
3. 3. 使用

• Archive
• Tag
• Cate

Total : 46



2023

• 05/05 记一次kuboard故障—Etcd空间爆满
• 05/05 K8s环境清理节点上旧的镜像
• 05/05 docker/buildkit 构建问题
• 05/05 分析redis 大key
• 05/05 Umami 安装并升级到v2.x

2022

• 06/15 SSO之使用Pomerium保护您的网站
• 05/09 使用sloop 监控kubernetes event
• 05/02 阿里云ACK集群 Ingress-nginx配置日志输出request body和request headers信息
• 04/06 K8s RBAC工具之akcess

2021

• 12/31 使用s3(minio)为kubernetes提供pv存储
• 09/28 Kubernetes 的 API 流量查看器---mizu
• 09/22 记一次longhorn 组件重启导致pv无法正常挂载
• 09/09 在Gitlab中规范提交的commit message的格式
• 09/06 监控minio的多种姿势
• 09/01 在k8s上部署支持多租户的minio
• 08/25 k8s 开启临时容器进行debug
• 08/12 史上最全之K8s使用nfs作为存储卷的五种方式
• 08/10 三个小工具带你进一步了解K8S集群内RBAC
• 08/09 使用Permission manager动态为k8s集群创建用户及kubeconfig
• 08/05 使用RBAC Manager 简化Kubernetes 中的授权
• 08/02 使用gitlab账号登陆Kubesphere
• 08/01 k8s安装cert-manager及签发泛域名证书
• 07/16 kubesphere 3.1.1 接入自定义 Prometheus
• 07/13 阿里云slb https代理harbor 总结
• 07/06 prometheus使用missing-container-metrics监控pod oomkill
• 04/01 使用ssl-exporter监控ssl证书过期时间
• 01/27 prometheus使用PrometheusAlert进行聚合报警
• 01/22 chaos-mesh 混沌工程（下）
• 01/21 Chaos-mesh 混沌工程(上）
• 01/06 扫描k8s集群中漏洞
• 01/06 利用k8s审计日志生成RBAC规则
• 01/05 同步secret和config到指定namespace

2020

• 12/08 kubevela之appfile详解（下）
• 12/08 kubevela之appfile详解（上）
• 12/03 kubevela小试牛刀（1）
• 12/02 使用Rancher的rke安装k8s
• 11/27 Prometheus监控redis及redis-cluster
• 11/18 Argo CD使用ding talk通知同步状态
• 11/17 k8s集群中pod镜像版本检查
• 11/16 阿里云rds 备份恢复到本地
• 11/06 记录一次kyverno重启解决过程
• 11/05 使用harbor代理缓存docker hub
• 09/23 一次cert-manager无法续签
• 09/07 使用traefik为服务配置sso
• 09/02 k8s之纵向扩缩容vpa
• 09/01 使用hugo搭建博客

 kubernetes  rbac  k8s  vulnerability  ingress-nginx  RBAC  argocd  devops  gitlab  harbor  slb  hugo  pv  csi  s3  kubesphere  prometheus  sso  kubevela  k8s准入控制  kyverno  longhorn  oomkill  event  configmap  secret  sync  ingress  cert-manager  chaos-mesh  minio  vpa  动态扩缩容  k8s kubevela  oamm  报警  ssl-exporter  traefik  混沌工程  rke k8s  pvc  nfs  prometheus redis  umami  etcd  kuboard  docker  ci  buildkit  redis



缺失模块，请参考主题文档进行安装配置：https://github.com/fi3ework/hexo-theme-archer#%E5%AE%89%E8%A3%85%E4%B8%BB%E9%A2%98



