Files
Anthropic-Cybersecurity-Skills/skills/auditing-kubernetes-rbac-permissions.bak/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

56 lines
1.6 KiB
Markdown

# API Reference: Kubernetes RBAC Audit
## Python Kubernetes Client
```python
from kubernetes import client, config
config.load_kube_config()
rbac = client.RbacAuthorizationV1Api()
core = client.CoreV1Api()
```
## RBAC API Calls
| Method | Description |
|--------|-------------|
| `rbac.list_cluster_role()` | List all ClusterRoles |
| `rbac.list_cluster_role_binding()` | List all ClusterRoleBindings |
| `rbac.list_namespaced_role(ns)` | List Roles in namespace |
| `rbac.list_namespaced_role_binding(ns)` | List RoleBindings in namespace |
## ClusterRole Rule Structure
```python
role.rules[0].verbs # ["get", "list", "watch"]
role.rules[0].resources # ["pods", "secrets"]
role.rules[0].api_groups # ["", "apps"]
```
## Dangerous RBAC Permissions
| Permission | Risk |
|------------|------|
| `* / *` (all verbs, resources) | Full cluster admin |
| `create` on `pods/exec` | Remote code execution |
| `get` on `secrets` | Credential theft |
| `bind` on `clusterroles` | Privilege escalation |
| `impersonate` on users | Identity spoofing |
| `escalate` on roles | Self-privilege escalation |
## Subject Types
| Kind | Description |
|------|-------------|
| User | Human user identity |
| Group | User group (e.g., system:authenticated) |
| ServiceAccount | Pod identity |
## Risky Groups
| Group | Risk |
|-------|------|
| `system:unauthenticated` | Anonymous access |
| `system:authenticated` | Any authenticated user |
| `system:masters` | Full cluster admin |
## kubectl RBAC Commands
```bash
kubectl auth can-i --list
kubectl get clusterrolebindings -o json
kubectl auth can-i create pods --as=system:serviceaccount:default:default
```