audit2rbac
audit2rbac copied to clipboard
liggitt
Autogenerate RBAC policies based on Kubernetes audit logs
Google's managed Kubernetes service redirects the Kubernetes Audit Log to their [Cloud Audit Logging/Stackdriver Logging services](https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging). These logs can be queried using the `gcloud` command line tools, eg: ```sh gcloud...
Rather than writing output to stdout, allow specifying an output file This is a prereq for generating intermediate results when processing a large or continuous audit stream Could either generate...
only generate roles for permissions missing from existing roles
"If the user does something against extensions/deployments, also allow it against apps/deployments"
"if the user does an update, also allow patch", etc currently hardcoded: https://github.com/liggitt/audit2rbac/blob/78308e521a2907d100f54f829914662837e55428/pkg/process.go#L35-L40
Needed to include synthetic resource permissions checked for by various admission plugins or kubelets Requires audit log to capture content for SAR Might need to special case PSP checks (or...
requires https://github.com/liggitt/audit2rbac/issues/3