KAL can be used to list every permission of a Kubernetes user, service account token, kubeconfig authentication, or a JWT token.
This CLI connects to the provided Kubernetes Cluster, list all resources, and for each resource tests if the provided authentication has access in the resource. The test is performed using the SelfSubjectAccessReview request.
go install -v github.com/ing-bank/kal@latestgit clone https://github.com/ing-bank/kal.git
cd kal; go installKAL searches for authentication credentials in the following order:
- Provided in
-tokenargument - Search for a kubeconfig file (default location
~/.kube/config) - Assume it is running inside a POD and using the credentials in the
/var/run/secrets/kubernetes.io/serviceaccount/folder
Provide the authentication token as a CLI argument.
kal -token '<your_jwt_token>'Provide the custom kubeconfig file location.
kal -c /path/to/kubeconfig.yamlCommand:
kalExpected output:
############################
# #
# ██╗ ██╗ █████╗ ██╗ #
# ██║ ██╔╝██╔══██╗██║ #
# █████╔╝ ███████║██║ #
# ██╔═██╗ ██╔══██║██║ #
# ██║ ██╗██║ ██║███████╗ #
# ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ #
# Kubernetes Authz Listing #
############################
[!] legal disclaimer: Usage of kal for attacking targets without prior mutual consent is illegal. It is the end user\'s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[INF] running from namespace = default
[INF] found 105 resources and sub-resources
bindings/v1 [create,get,bind,patch,escalate,deletecollection,list,impersonate,watch,update,delete,approve] [default]
componentstatuses/v1 [create,get,delete,deletecollection,escalate,impersonate,update,patch,approve,watch,bind,list] [CLUSTER_WIDE]
...[snip]...
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1 [escalate,impersonate,list,approve,watch,deletecollection,get,patch,update,delete,bind,create] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1/status [escalate,impersonate,patch,watch,list,create,get,delete,update,approve,deletecollection,bind] [CLUSTER_WIDE]
flowschemas.flowcontrol.apiserver.k8s.io/v1beta3 [patch,approve,create,escalate,list,deletecollection,impersonate,delete,watch,update,bind,get] [CLUSTER_WIDE]
flowschemas.flowcontrol.apiserver.k8s.io/v1beta3/status [escalate,patch,deletecollection,update,get,bind,impersonate,delete,approve,watch,list,create] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3 [escalate,impersonate,approve,update,get,create,list,deletecollection,patch,watch,delete,bind] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3/status [get,create,list,escalate,impersonate,patch,bind,update,delete,approve,watch,deletecollection] [CLUSTER_WIDE]kal -namespace <namespace>Removes the rate limit restraints enforced by k8s.io/client-go/kubernetes package.
kal -no-rate-limitImpersonate a user and list its permissions.
kal -as '<user>'Select the verbosity of the output.
kal -verbose/-silentThis option show all results, even not allowed commands.
kal -allkal -jsonCommand:
kal -show-reasonExpected output:
[ERR] could not create a kubernetes custom client error=invalid configuration for kubernetes custom client
[INF] running from namespace = default
[INF] found 105 resources and sub-resources
bindings/v1 [delete,patch,bind,create,update,watch,get,list,deletecollection,impersonate,approve,escalate] [default] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
componentstatuses/v1 [get,escalate,list,delete,approve,patch,update,bind,watch,impersonate,deletecollection,create] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
...[snip]...
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3 [create,patch,update,deletecollection,escalate,get,delete,bind,watch,impersonate,list,approve] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3/status [create,escalate,list,update,delete,deletecollection,bind,patch,get,approve,watch,impersonate] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]This section explains how KAL works under the hood.
Based on the article of Raesene - Fun with Kubernetes Authorization Auditing, sometimes the command kubectl auth can-i --list can omit some permissions specially if they are from a custom resource. In this case, KAL overcomes this "issue" by listing all available resources and testing if the current authorization has permission to execute certain API verb in the resource.
Kuberntes Authorization Request Verbs
- create
- get
- list
- watch
- update
- patch
- delete
- deletecollection
- impersonate
- bind
- approve
- escalate
Listing all API resources.
kubectl auth can-i --list -o wideContributions are more than welcome! Please see our contribution guidelines first.
KAL can be used a a library by instantiating the pkg/runner package, it contains the required setup.
import "github.com/ing-bank/kal/pkg/runner"
func main() {
kalRunner := runner.FromOptions()
}You can check our licensing scheme here.