Hey there fellow Kubernetes user!
So you‘ve jumped on the K8s bandwagon and built yourself a nice cluster. Maybe you‘ve got a few microservices running on it already. But as your cluster grows, are you keeping up with securing the RBAC permissions?
If not, it‘s time to start auditing! Based on my experience helping enterprises secure their Kubernetes rollouts, RBAC misconfigurations can quickly spiral out of control. In this post, let me explain what RBAC is, why it needs auditing, and 5 open source tools I recommend for the job.
Kubernetes RBAC 101
For a quick refresher, RBAC or Role-Based Access Control is how permissions are managed in Kubernetes. It lets you define authorization policies to control access to resources in the cluster.
The key components of RBAC are:
Roles and ClusterRoles – These define specific permissions like create, read, delete on API resources. Think of them as permission templates that can be applied to users.
RoleBindings and ClusterRoleBindings – These bind the Roles/ClusterRoles to actual users/groups/service accounts.
Subjects – Entities like users, groups and service accounts that can be bound to roles.
For example, you can define a Role called
pod-reader that allows reading pods in the
dev namespace. Then create a RoleBinding to bind this role to the
dev-user subject. Now
dev-user will be able to view pods in
dev but not modify them.
The advantage of RBAC is that it allows very granular access control to Kubernetes resources. But the flip side is complexity. RBAC policies can be tricky to configure correctly when you have hundreds of roles and bindings.
Why Continuous RBAC Auditing is Crucial
Here are some common issues I‘ve seen with RBAC gone wild:
Role sprawl – Literally hundreds of roles created over time, many unused or redundant. Tough to decipher the mess.
Overprovisioning – Developers assign overly permissive roles like
cluster-adminto their service accounts for convenience.
Role binding creep – Old stale role bindings linger around, allowing unwanted access.
Wrong configurations – Complex policies lead to basic errors like typos in role or subject names.
According to Gartner, over 95% of cloud breaches are due to misconfigurations, not vulnerabilities!
Without continuous auditing, RBAC can become a ticking time bomb. The risks include data loss, compliance failures and even cryptocurrency mining abuse.
That‘s why regularly scanning your RBAC policies using specialized tools is a must. Let‘s look at 5 really useful open source options.
1. KubiScan – Simple and Safe Auditing
KubiScan is my go-to choice for basic RBAC permission scanning. Developed by CyberArk, it‘s easy to set up and provides clear reporting.
Some standout features:
- Scans for risky roles, bindings, subjects and pod access
- Flexible filtering and risk scoring
- Interactive CLI and JSON report generation
- Read-only, safe scanning
KubiScan is written in Python and can run directly inside your cluster as a pod. The scans don‘t modify anything, just read RBAC policies. This simplicity and non-disruptive nature really appealed to me.
The tool lets you apply filters like excluding specific namespaces or subjects from scanning. The risk scoring also helps quickly prioritize the most severe findings for remediation.
In my testing, KubiScan performed well for baseline RBAC auditing, providing a clear breakdown of risky permissions at the role and binding level. The JSON output integrates smoothly with CI/CD pipelines. Overall, a solid foundational tool for RBAC analysis.
2. Krane – Beautiful Visualizations for RBAC
Krane is an interesting open source tool from Appvia that focuses on visualizing RBAC relationships.
Instead of just generating a raw JSON report, Krane creates interactive graph models of your RBAC configuration. You get a bird‘s eye view of how roles, bindings and subjects intersect.
This allows quickly visually identifying anomalies, like roles that are never bound to any subject for instance. The graphical network also makes it very easy to trace relationships across namespaces.
Krane has handy features like Slack notifications for risky permissions. It can run standalone inside Kubernetes but also has a local CLI and CI/CD integration.
Now I‘ll be honest, at large scale the diagrams can get a bit messy. But in my experience, the novel visualization approach of Krane really helps provide new insights into the sprawl and intersections of complex RBAC setups. The interactivity allows drilling down into specific risky bindings easily.
Overall, a refreshing approach to RBAC analysis for those that appreciate visual aids.
3. RBAC Tool – Comprehensive Analysis and Queries
RBAC Tool developed by Alcide offers some powerful analysis capabilities going beyond basic permission scanning.
- Detects risky roles and unused bindings
- Permission query and runtime binding analysis
- Interactive filters for investigation
- Configuration file generation
- Visualization of access topology
It thoroughly scans RBAC objects like roles, role bindings and cluster roles for misconfigurations. But what I really liked are the specialized queries. They let you deeply analyze how permissions translate into real-time access.
For example, you can query what access a particular service account has to pods across all namespaces based on the role bindings. This helps reveal privileges that are unsafe.
The tool also generates permission manifest files from the analysis. This makes it easy to remediate issues by modifying the YAML definitions.
The customizable filters and visualizations are great for investigation workflows when dealing with hundreds of roles and bindings.
Overall, RBAC Tool provides very comprehensive analysis and queries to dig deeper into permission risks. The developer Alcide has really put together a full-featured toolkit purpose-built for Kubernetes RBAC.
4. Fairwinds Insights – Stay Compliant with Guardrails
Fairwinds Insights offers a unique approach to RBAC management compared to the other tools we‘ve seen. It focuses on ensuring your permissions stay within compliance guidelines.
The key capabilities:
- Audit RBAC policies against predefined controls
- Flexible policy templates
- Risk-based findings and fix advice
- Integration with Kubernetes admission control
- Custom queries for analysis
Fairwinds comes loaded with curated best-practice policies covering areas like PCI-DSS, CIS Benchmarks and NIST. Your RBAC configuration is automatically scanned and checked against these standards.
This prevents "RBAC drift" away from compliance baselines as your cluster evolves. Any dangerous changes or deployments can also be blocked automatically via the admission controller integration.
For our clients with strict regulatory requirements, Fairwinds has been a lifesaver. The automated guardrails have significantly reduced effort and stress around compliance audits. The custom query capability also enables debugging specific permission issues.
Overall, I highly recommend Fairwinds Insights if staying compliant with industry and organizational standards is a priority.
5. Permission Manager – Simplifying RBAC for Humans
So far we‘ve seen developer-focused tools that operate through CLI and JSON outputs. But what if you need a more user-friendly way to visualize and manage RBAC?
This is where Permission Manager comes in. It provides an intuitive web UI and control panel purpose-built for Kubernetes RBAC.
With Permission Manager, you can easily:
- Visualize role relationships and permissions
- Analyze usage and consistency of roles
- Manage users and access controls
- Audit changes
Instead of reviewing raw JSON, you can visually explore and edit roles and bindings through the graphical interface. It really helps simplify RBAC management for admins and developers.
The main downside is that being a hosted web application, Permission Manager may not suit highly secure environments. But for teams new to RBAC looking for an intuitive solution, it‘s a great starting point.
Making the Most of RBAC Auditing Tools
Based on my experience, here are some tips to maximize your RBAC auditing:
- Schedule regular scans – Monthly or weekly depending on change rates
- Prioritize risks – Focus on high-impact and quick wins first
- Include CI/CD checks – Scan RBAC on PRs before changes are merged
- Rotate tools – Leverage multiple tools for different views
- Verify fixes – Ensure issues stay resolved after fixing
- Grant minimum access – Stick to least privilege principle
- Formalize reviews – Conduct periodic formal RBAC reviews
It takes continuous scanning to stay on top of RBAC as your clusters scale and policies get updated frequently. The specialized tools we‘ve covered all bring unique capabilities to the table. Use them proactively to avoid dangerous RBAC mishaps down the road!
Hope this guide has been useful for you. Let me know if you have any other questions!