Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

anonymous permissions #70

Open
krol3 opened this issue Jun 22, 2023 · 5 comments
Open

anonymous permissions #70

krol3 opened this issue Jun 22, 2023 · 5 comments
Labels
kind/enhancement

Comments

@krol3
Copy link

krol3 commented Jun 22, 2023

anonymous

After creating a clusterrolebinding for the user system: anonymous, I didn't see in the list of Risky report.
@g3rzi
Copy link
Contributor

g3rzi commented Jun 22, 2023

Hi @krol3 :)
We will check it,
can you please provide me with the command that you run so I can try to reproduce it as you did?
If you can provide the ClusterRoleBinding it can be great too but if not I will create my own.

@krol3
Copy link
Author

krol3 commented Jun 26, 2023

Hi @g3rzi, here the clusterRoleBinding kubectl create clusterrolebinding anonymous-xdemo --clusterrole=view --user=system:anonymous.

After add this permission, I would like to see the risk, could you help me? Thanks

@g3rzi
Copy link
Contributor

g3rzi commented Jun 27, 2023

I created the ClusterRoleBinding with:

kubectl create clusterrolebinding anonymous-xdemo --clusterrole=view --user=system:anonymous

Then, I checked all the risky ClusterRoleBindings:

python3 KubiScan.py -rcb

And I saw that it appears:
image

What command did you use with KubiScan?

@krol3
Copy link
Author

krol3 commented Jun 27, 2023
edited
Loading

Thank you so much for your help @g3rzi , what version are you using? I still can't see this xdemo clusterRoleBinding.
I'm using KubiScan version 1.6

@g3rzi
Copy link
Contributor

g3rzi commented Jul 6, 2023

I am using KubiScan version 1.6 and Kubernetes 1.25.

Can you provide me the data of the view ClusterRole and the anonymous-xdemo ClusterRoleBindings?

kubectl get clusterrolebindings anonymous-xdemo -o yaml
kubectl get clusterrole view -o yaml

These are my results, I want to compare it to yours:

root@myhome:/home/cyber# kubectl get clusterrolebindings anonymous-xdemo -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2023-06-27T06:35:56Z"
  name: anonymous-xdemo
  resourceVersion: "37867564"
  uid: 19111a5f-e6e5-4616-aab6-3dd4312ad92e
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: system:anonymous


root@myhome:/home/cyber# kubectl get clusterrole view -o yaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-view: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2022-10-27T12:25:38Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: view
  resourceVersion: "26758581"
  uid: 7f11eca5-44d9-480c-9ddb-c15b32961f2d
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - persistentvolumeclaims/status
  - pods
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - replicasets
  - replicasets/scale
  - replicasets/status
  - statefulsets
  - statefulsets/scale
  - statefulsets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  - horizontalpodautoscalers/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - cronjobs/status
  - jobs
  - jobs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - daemonsets/status
  - deployments
  - deployments/scale
  - deployments/status
  - ingresses
  - ingresses/status
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicasets/status
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  - poddisruptionbudgets/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - ingresses/status
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - metrics.k8s.io
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krol3 @g3rzi