Implementing RBAC Security Scanning

1 min read Security Testing & Tools

Implementing RBAC Security Scanning

Scan RBAC configurations for excessive permissions:

# Tool: rbac-police (hypothetical RBAC scanner)
cat << 'EOF' > rbac-scanner.sh
#!/bin/bash

echo "Scanning RBAC permissions..."

# Find overly permissive roles
kubectl get clusterroles -o json | jq -r '
  .items[] | 
  select(.rules[]? | 
    (.verbs[]? == "*" or .resources[]? == "*" or .apiGroups[]? == "*")
  ) | .metadata.name
' | while read role; do
  echo "Warning: ClusterRole '$role' has wildcard permissions"
  kubectl describe clusterrole "$role"
done

# Find service accounts with cluster-admin
kubectl get clusterrolebindings -o json | jq -r '
  .items[] | 
  select(.roleRef.name == "cluster-admin") | 
  .subjects[]? | 
  select(.kind == "ServiceAccount") | 
  "\(.namespace)/\(.name)"
' | while read sa; do
  echo "Warning: ServiceAccount '$sa' has cluster-admin privileges"
done

# Check for default service account usage
kubectl get pods -A -o json | jq -r '
  .items[] | 
  select(.spec.serviceAccountName == "default" or .spec.serviceAccountName == null) | 
  "\(.metadata.namespace)/\(.metadata.name)"
' | while read pod; do
  echo "Info: Pod '$pod' uses default service account"
done
EOF

chmod +x rbac-scanner.sh
./rbac-scanner.sh