KAL can be used to list every permission of a Kubernetes user, service account token, kubeconfig authentication, or a JWT token.
This CLI connects to the provided Kubernetes Cluster, list all resources, and for each resource tests if the provided authentication has access in the resource. The test is performed using the SelfSubjectAccessReview request.
go install -v github.com/ing-bank/kal@latest
git clone https://github.com/ing-bank/kal.git
cd kal; go install
KAL searches for authentication credentials in the following order:
- Provided in
-token
argument - Search for a kubeconfig file (default location
~/.kube/config
) - Assume it is running inside a POD and using the credentials in the
/var/run/secrets/kubernetes.io/serviceaccount/
folder
Provide the authentication token as a CLI argument.
kal -token '<your_jwt_token>'
Provide the custom kubeconfig file location.
kal -c /path/to/kubeconfig.yaml
Command:
kal
Expected output:
############################
# #
# ██╗ ██╗ █████╗ ██╗ #
# ██║ ██╔╝██╔══██╗██║ #
# █████╔╝ ███████║██║ #
# ██╔═██╗ ██╔══██║██║ #
# ██║ ██╗██║ ██║███████╗ #
# ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ #
# Kubernetes Authz Listing #
############################
[!] legal disclaimer: Usage of kal for attacking targets without prior mutual consent is illegal. It is the end user\'s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[INF] running from namespace = default
[INF] found 105 resources and sub-resources
bindings/v1 [create,get,bind,patch,escalate,deletecollection,list,impersonate,watch,update,delete,approve] [default]
componentstatuses/v1 [create,get,delete,deletecollection,escalate,impersonate,update,patch,approve,watch,bind,list] [CLUSTER_WIDE]
...[snip]...
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1 [escalate,impersonate,list,approve,watch,deletecollection,get,patch,update,delete,bind,create] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1/status [escalate,impersonate,patch,watch,list,create,get,delete,update,approve,deletecollection,bind] [CLUSTER_WIDE]
flowschemas.flowcontrol.apiserver.k8s.io/v1beta3 [patch,approve,create,escalate,list,deletecollection,impersonate,delete,watch,update,bind,get] [CLUSTER_WIDE]
flowschemas.flowcontrol.apiserver.k8s.io/v1beta3/status [escalate,patch,deletecollection,update,get,bind,impersonate,delete,approve,watch,list,create] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3 [escalate,impersonate,approve,update,get,create,list,deletecollection,patch,watch,delete,bind] [CLUSTER_WIDE]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3/status [get,create,list,escalate,impersonate,patch,bind,update,delete,approve,watch,deletecollection] [CLUSTER_WIDE]
kal -namespace <namespace>
Removes the rate limit restraints enforced by k8s.io/client-go/kubernetes
package.
kal -no-rate-limit
Impersonate a user and list its permissions.
kal -as '<user>'
Select the verbosity of the output.
kal -verbose/-silent
This option show all results, even not allowed commands.
kal -all
kal -json
Command:
kal -show-reason
Expected output:
[ERR] could not create a kubernetes custom client error=invalid configuration for kubernetes custom client
[INF] running from namespace = default
[INF] found 105 resources and sub-resources
bindings/v1 [delete,patch,bind,create,update,watch,get,list,deletecollection,impersonate,approve,escalate] [default] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
componentstatuses/v1 [get,escalate,list,delete,approve,patch,update,bind,watch,impersonate,deletecollection,create] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
...[snip]...
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3 [create,patch,update,deletecollection,escalate,get,delete,bind,watch,impersonate,list,approve] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
prioritylevelconfigurations.flowcontrol.apiserver.k8s.io/v1beta3/status [create,escalate,list,update,delete,deletecollection,bind,patch,get,approve,watch,impersonate] [CLUSTER_WIDE] [RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins";RBAC: allowed by ClusterRoleBinding "kubeadm:cluster-admins" of ClusterRole "cluster-admin" to Group "kubeadm:cluster-admins"]
This section explains how KAL works under the hood.
Based on the article of Raesene - Fun with Kubernetes Authorization Auditing, sometimes the command kubectl auth can-i --list
can omit some permissions specially if they are from a custom resource. In this case, KAL overcomes this "issue" by listing all available resources and testing if the current authorization has permission to execute certain API verb in the resource.
Kuberntes Authorization Request Verbs
- create
- get
- list
- watch
- update
- patch
- delete
- deletecollection
- impersonate
- bind
- approve
- escalate
Listing all API resources.
kubectl auth can-i --list -o wide
Contributions are more than welcome! Please see our contribution guidelines first.
KAL can be used a a library by instantiating the pkg/runner package, it contains the required setup.
import "github.com/ing-bank/kal/pkg/runner"
func main() {
kalRunner := runner.FromOptions()
}
You can check our licensing scheme here.