Files
Anthropic-Cybersecurity-Skills/skills/auditing-kubernetes-rbac-permissions.bak/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

1.6 KiB

API Reference: Kubernetes RBAC Audit

Python Kubernetes Client

from kubernetes import client, config
config.load_kube_config()
rbac = client.RbacAuthorizationV1Api()
core = client.CoreV1Api()

RBAC API Calls

Method Description
rbac.list_cluster_role() List all ClusterRoles
rbac.list_cluster_role_binding() List all ClusterRoleBindings
rbac.list_namespaced_role(ns) List Roles in namespace
rbac.list_namespaced_role_binding(ns) List RoleBindings in namespace

ClusterRole Rule Structure

role.rules[0].verbs       # ["get", "list", "watch"]
role.rules[0].resources   # ["pods", "secrets"]
role.rules[0].api_groups  # ["", "apps"]

Dangerous RBAC Permissions

Permission Risk
* / * (all verbs, resources) Full cluster admin
create on pods/exec Remote code execution
get on secrets Credential theft
bind on clusterroles Privilege escalation
impersonate on users Identity spoofing
escalate on roles Self-privilege escalation

Subject Types

Kind Description
User Human user identity
Group User group (e.g., system:authenticated)
ServiceAccount Pod identity

Risky Groups

Group Risk
system:unauthenticated Anonymous access
system:authenticated Any authenticated user
system:masters Full cluster admin

kubectl RBAC Commands

kubectl auth can-i --list
kubectl get clusterrolebindings -o json
kubectl auth can-i create pods --as=system:serviceaccount:default:default