Auditing Kubernetes Cluster RBAC

Auditing Kubernetes Cluster RBAC

Auditing Kubernetes cluster RBAC configurations to identify overly permissive roles, wildcard permissions, dangerous

Category: development Source: mukul975/Anthropic-Cybersecurity-Skills

What Is Auditing Kubernetes Cluster RBAC?

Kubernetes uses Role-Based Access Control (RBAC) to manage and restrict access to cluster resources. Auditing Kubernetes Cluster RBAC involves systematically reviewing and analyzing these RBAC configurations to identify security risks such as overly permissive roles, wildcard permissions, dangerous ClusterRoleBindings, potential privilege escalation paths, and service account abuse. This is achieved using a combination of command-line tools and specialized auditing utilities. Regular RBAC audits are essential for maintaining strong security postures in Kubernetes environments, whether the cluster is hosted on EKS, GKE, AKS, or self-managed infrastructure.

Why Use Auditing Kubernetes Cluster RBAC?

Misconfigured RBAC policies are a leading cause of privilege escalations and lateral movement in Kubernetes clusters. Overly broad or misapplied permissions can allow attackers or unauthorized users to gain control over sensitive resources, compromise containers, or disrupt critical workloads. Auditing RBAC helps identify:

  • Overly permissive roles: Roles and ClusterRoles granting more access than necessary
  • Wildcard permissions: Use of * in resource or verb fields, which can be dangerous
  • Dangerous ClusterRoleBindings: Cluster-wide bindings to broad or sensitive roles
  • Service account abuse: Service accounts with unnecessary privileges
  • Privilege escalation paths: Chains of permissions that allow users to gain additional, unintended access

Proactively auditing RBAC ensures adherence to the principle of least privilege, aids compliance with security frameworks (such as NIST CSF), and reduces attack surface within your Kubernetes environments.

How to Use Auditing Kubernetes Cluster RBAC

To effectively audit Kubernetes RBAC, you should use a combination of native Kubernetes tools and specialized auditing utilities. The following workflow outlines the recommended approach:

Prerequisites

  • kubectl with sufficient read permissions (preferably cluster-admin)
  • rbac-tool (install with kubectl krew install rbac-tool or from GitHub)
  • kubiscan (pip install kubiscan)
  • kubeaudit (download from https://github.com/Shopify/kubeaudit)

1. Enumerate All Roles and RoleBindings

Start by listing all Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings.

kubectl get roles --all-namespaces
kubectl get clusterroles
kubectl get rolebindings --all-namespaces
kubectl get clusterrolebindings

Export these objects for detailed offline review:

kubectl get clusterroles -o yaml > clusterroles.yaml
kubectl get clusterrolebindings -o yaml > clusterrolebindings.yaml

2. Identify Overly Permissive and Wildcard Permissions

rbac-tool can help analyze permissions and spot risky configurations:

kubectl rbac-tool who-can get pods
kubectl rbac-tool who-can create clusterrolebindings
kubectl rbac-tool find-over-permissive

Look for roles or bindings that include wildcards (e.g., apiGroups: ["*"], resources: ["*"], verbs: ["*"]). These indicate broad permissions that should be minimized.

3. Scan for Privilege Escalation and Service Account Abuse

Use kubiscan to automate the discovery of common RBAC misconfigurations.

kubiscan scan -c <cluster-context>

Kubiscan reports:

  • Service accounts with cluster-admin or wildcard privileges
  • Privilege escalation risks (e.g., users who can modify RBAC)
  • Insecure role bindings

Review the output and investigate any flagged accounts or roles.

4. Audit with kubeaudit

kubeaudit provides additional checks, including RBAC audits:

kubeaudit rbac --kubeconfig ~/.kube/config

Kubeaudit highlights:

  • Roles with broad access
  • Bindings to sensitive system roles
  • Service accounts with unnecessary privileges

5. Manual Review

After automated scans, manually review high-privilege roles and their bindings. Pay special attention to:

  • ClusterRoleBindings referencing system:masters, cluster-admin, or custom admin roles
  • Bindings to system:anonymous or broad user groups
  • Roles with * verbs or resources

Evaluate whether each binding is strictly necessary for its intended workload or user.

When to Use Auditing Kubernetes Cluster RBAC

  • Security assessments: During periodic or ad-hoc security reviews of Kubernetes clusters
  • Least privilege validation: Ensuring that users and service accounts have only the permissions required for their functions
  • Incident response: Investigating suspected lateral movement or privilege escalation
  • Compliance audits: Documenting and justifying access controls for regulatory requirements
  • Onboarding new teams: Defining and verifying appropriate RBAC for new cluster users

This skill is not intended for network policy analysis, container image vulnerability scanning, or runtime threat detection. Use dedicated tools such as Cilium, Trivy, or Falco for those purposes.

Important Notes

  • Always use a read-only or cluster-admin Kubernetes context when running RBAC audits to ensure full visibility of all resources.
  • Automated tools can miss context-specific risks; supplement automation with manual review.
  • Regularly revisit RBAC audits, especially after changes to cluster membership, workload deployments, or compliance requirements.
  • Be cautious when modifying RBAC policies. Remove unneeded permissions in a controlled, tested manner to avoid service disruptions.
  • Document your audit process and findings to aid in future reviews and compliance reporting.

Adopting a disciplined approach to auditing Kubernetes RBAC significantly reduces the risk of privilege escalation and improves the overall security posture of your cluster.