Automated detection of Risky Permissions in AWS EKS Clusters

AWS EKS uses an authorization module called Role-Based Access Control (RBAC) to set the utilization permissions for the different components of the K8 Cluster. Ideally the principle of least privilege should be followed while assigning any roles as the principle of least privilege is the idea that any subject, user, program, process, and so on should only have the minimum required privileges to perform its function. In RBAC the authorization decision is based on subject’s roles, which contain a group of permissions and privileges.

Now while assessing the security of a K8 Cluster we should be looking to find the Risky Permissions. Like for example giving someone permission to list all the secrets in the cluster presents a huge security risk. Similarly, the “create pods” privilege seems like an entirely secure privilege at first look, however an attacker who gains control of a service account with the privilege to create pods in the “kube-system” namespace can potentially escalate privileges by reading tokens from other privilege service accounts.

Hence, finding the risky roles in the RBAC configuration of an EKS cluster is an important step to secure the cluster. The following python script searches for risky roles in the RBAC configuration and flags them. Figure 1 is an example of the script’s result output.

Figure 1

The script for the same can be found at :-

avikc47/kubernetes-rbac-riskyrole-detection

The Script ExtensiveRoleCheck.py requires python3. ExtensiveRoleCheck.py works in offline mode. This means that you should first export the following JSON from your Kubernetes cluster configuration:

• Roles
• ClusterRoles
• RoleBindings
• ClusterRoleBindings

To export those files you will need access permissions in the Kubernetes cluster. To export them, you might use the following commands:-

Export RBAC Roles:

kubectl get roles — all-namespaces -o json > Roles.json

Export RBAC ClusterRoles:

kubectl get clusterroles -o json > clusterroles.json

Export RBAC RolesBindings:

kubectl get rolebindings — all-namespaces -o json > rolebindings.json

Export RBAC Cluster RolesBindings:

kubectl get clusterrolebindings -o json > clusterrolebindings.json

Script Usage:-

python ExtensiveRoleCheck.py — clusterRole clusterroles.json — role Roles.json — rolebindings rolebindings.json — cluseterolebindings clusterrolebindings.json

References:-

https://www.cyberark.com/resources/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions

Kubernetes Security by Kaizhe Hung and Pranjal Jumde