Skip to content
/ sa-hunter Public

Correlates serviceaccounts and pods to the permissions granted to them via rolebindings and clusterrolesbindings.

unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/

License

MIT license
35 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

twistlock/sa-hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
minimized_objs.py
minimized_objs.py
 
 
requirements.txt
requirements.txt
 
 
sa_hunter.py
sa_hunter.py
 
 

Repository files navigation

🔔 Deprecated in favour of rbac-police

sa-hunter

Correlates serviceaccounts and pods to the permissions granted to them via rolebindings and clusterrolesbindings.

For clusters hosted on managed Kubernetes services, sa-hunter identifies serviceaccount annotations that assign cloud provider IAM entities to Kubernetes serviceaccounts. Currently sa-hunter supports serviceaccount annotations on EKS and GKE.

Quick Start

python3 and pip3 are required, can be installed here.

  1. Clone this repository.
git clone https://github.com/twistlock/sa-hunter
  1. Install the required python packages.
pip3 install -r sa-hunter/requirements.txt
  1. Connect kubectl to your cluster.
  2. Run sa-hunter.
cd sa-hunter
./sa_hunter.py

Help

usage: sa_hunter.py [-h] [-a] [-o OUT_FILE] [-l]

Correlates serviceaccounts and pods to the permissions granted to them via rolebindings and clusterrolesbindings.

optional arguments:
  -h, --help   show this help message and exit
  -a           show all service accounts, not only those assigned to a pod
  -o OUT_FILE  save results to output file
  -l           loud mode, print results regardless of -o

Schema

{
    "metadata": {
        "cluster": "cluster name from the current kubectl context",
        "platform": "eks, gke or empty",
        "version": "cluster Kubernetes version"
    },
    "serviceaccounts": [
        {
            "name": "serviceaccount name",
            "namespace": "serviceaccount namespace",
            "nodes": [
                {
                    "name": "the node hosting the following pods",
                    "pods": [
                        "a pod assigned the service account"
                        "a pod assigned the service account"
                    ]
                },
                {
                    "name": "the node hosting the following pods",
                    "pods": [
                        "a pod assigned the service account"
                    ]
                }
            ],
            "providerIAM": { // omitempty
                "aws": "AWS role granted to this serviceaccount via the 'eks.amazonaws.com/role-arn' annotation, if exists",
                "gcp": "GCP service account binded to this serviceaccount via the 'iam.gke.io/gcp-service-account' annotation, if exists"
            },    
            "roles": [
                {
                    "name": "role or clusterrole binded to the serviceaccount",
                    "namespace": "namespace where permissions are in effect, excluded for clusterroles granted via clusterrolebindings", // omitempty
                    "rules": [] // k8s rule format
                }
            ]
        },
    ],
    "nodes": [
        {
            "name": "node name",
            "serviceaccounts": [
                "list of SAs hosted on this node",
                "format is namespace:name",
            ]
        },
        {
            "name": "node name",
            "serviceaccounts": [
                "namespace:name"
            ]
        },
    ]
}

About

Correlates serviceaccounts and pods to the permissions granted to them via rolebindings and clusterrolesbindings.

unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

35 stars

Watchers

7 watching

Forks

2 forks
Report repository

Languages