Hardens Kubernetes RBAC by auditing cluster-admin bindings, enforcing least privilege with namespace Roles, dedicating service accounts, restricting dangerous permissions, and integrating OIDC.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Kubernetes 基于角色的访问控制(RBAC,Role-Based Access Control)根据分配给用户、组和服务账户的角色来管理对集群资源的访问。默认配置通常会授予过多权限,若不主动加固,RBAC 会成为权限提升(Privilege Escalation)、横向移动(Lateral Movement)和数据外泄(Exfiltration)的主要攻击入口。加固工作需要实施最小权限原则(Least Privilege)、消除不必要的 ClusterRole 绑定、隔离服务账户、集成外部身份提供商,并持续进行审计。
Hardens Kubernetes RBAC by implementing least-privilege policies, auditing role bindings, eliminating cluster-admin sprawl, and integrating OIDC providers. Use for compliance, security architecture, and audits.
Hardens Kubernetes RBAC by auditing bindings, enforcing least-privilege Roles/RoleBindings, eliminating cluster-admin sprawl, and integrating OIDC providers.
Configures Kubernetes RBAC to enforce least privilege access on cluster resources. Covers Role/ClusterRole design, RoleBinding setup, service account security, namespace isolation, and audit logging for multi-tenant clusters.
Share bugs, ideas, or general feedback.
Kubernetes 基于角色的访问控制(RBAC,Role-Based Access Control)根据分配给用户、组和服务账户的角色来管理对集群资源的访问。默认配置通常会授予过多权限,若不主动加固,RBAC 会成为权限提升(Privilege Escalation)、横向移动(Lateral Movement)和数据外泄(Exfiltration)的主要攻击入口。加固工作需要实施最小权限原则(Least Privilege)、消除不必要的 ClusterRole 绑定、隔离服务账户、集成外部身份提供商,并持续进行审计。
审计并移除不必要的 cluster-admin 绑定:
# 列出所有 cluster-admin 绑定
kubectl get clusterrolebindings -o json | jq -r '
.items[] |
select(.roleRef.name == "cluster-admin") |
"\(.metadata.name) -> \(.subjects[]? | "\(.kind)/\(.name) (\(.namespace // "cluster"))")"
'
使用 Role 和 RoleBinding 替代 ClusterRole 和 ClusterRoleBinding:
# 推荐:命名空间范围的角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: application
name: app-developer
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: application
name: app-developer-binding
subjects:
- kind: Group
name: dev-team
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: app-developer
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: ServiceAccount
metadata:
name: payment-processor
namespace: payments
automountServiceAccountToken: false # 禁用自动挂载
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: payment-processor
namespace: payments
spec:
template:
spec:
serviceAccountName: payment-processor
automountServiceAccountToken: true # 仅在明确需要时挂载
containers:
- name: processor
image: payments/processor:v2.1@sha256:abc...
阻止可导致权限提升的权限:
# 需要限制的危险动词/资源:
# - secrets: get, list, watch(暴露命名空间内所有密钥)
# - pods/exec: create(允许在 Pod 内执行命令)
# - pods: create(带特权 securityContext)
# - serviceaccounts/token: create(生成新令牌)
# - clusterroles/clusterrolebindings: create, update(自我提权)
# - nodes/proxy: create(绕过 API server 授权)
# 安全的只读角色示例
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: security-viewer
rules:
- apiGroups: [""]
resources: ["pods", "services", "namespaces", "nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["get", "list", "watch"]
# OIDC 集成的 API server 参数
apiVersion: v1
kind: Pod
metadata:
name: kube-apiserver
spec:
containers:
- name: kube-apiserver
command:
- kube-apiserver
- --oidc-issuer-url=https://idp.company.com
- --oidc-client-id=kubernetes
- --oidc-username-claim=email
- --oidc-groups-claim=groups
- --oidc-ca-file=/etc/kubernetes/pki/oidc-ca.crt
# 列出所有带主体的 ClusterRoleBinding
kubectl get clusterrolebindings -o json | jq -r '
.items[] | select(.subjects != null) |
.subjects[] as $s |
"\(.metadata.name) | \(.roleRef.name) | \($s.kind)/\($s.name)"
' | sort | column -t -s '|'
# 列出所有命名空间的 RoleBinding
kubectl get rolebindings --all-namespaces -o json | jq -r '
.items[] | select(.subjects != null) |
.subjects[] as $s |
"\(.metadata.namespace) | \(.metadata.name) | \(.roleRef.name) | \($s.kind)/\($s.name)"
' | sort | column -t -s '|'
# 查找具有 cluster-admin 或 admin 角色的服务账户
kubectl get clusterrolebindings -o json | jq -r '
.items[] |
select(.roleRef.name == "cluster-admin" or .roleRef.name == "admin") |
select(.subjects[]?.kind == "ServiceAccount") |
"\(.subjects[] | select(.kind == "ServiceAccount") | "\(.namespace)/\(.name)")"
'
# 查找使用默认服务账户的 Pod
kubectl get pods --all-namespaces -o json | jq -r '
.items[] |
select(.spec.serviceAccountName == "default" or .spec.serviceAccountName == null) |
"\(.metadata.namespace)/\(.metadata.name)"
'
# 查找自动挂载服务账户令牌的 Pod
kubectl get pods --all-namespaces -o json | jq -r '
.items[] |
select(.spec.automountServiceAccountToken != false) |
"\(.metadata.namespace)/\(.metadata.name) sa=\(.spec.serviceAccountName // "default")"
'
# 安装 rbac-lookup
kubectl krew install rbac-lookup
# 查看特定用户的 RBAC 配置
kubectl rbac-lookup developer@company.com
# 以宽格式查看所有 RBAC 绑定
kubectl rbac-lookup --kind user -o wide
# 安装 rakkess
kubectl krew install access-matrix
# 显示当前用户的访问矩阵
kubectl access-matrix
# 显示特定服务账户的访问权限
kubectl access-matrix --sa payments:payment-processor