mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 22:19:39 +03:00
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
56 lines
1.6 KiB
Markdown
56 lines
1.6 KiB
Markdown
# API Reference: Kubernetes RBAC Audit
|
|
|
|
## Python Kubernetes Client
|
|
```python
|
|
from kubernetes import client, config
|
|
config.load_kube_config()
|
|
rbac = client.RbacAuthorizationV1Api()
|
|
core = client.CoreV1Api()
|
|
```
|
|
|
|
## RBAC API Calls
|
|
| Method | Description |
|
|
|--------|-------------|
|
|
| `rbac.list_cluster_role()` | List all ClusterRoles |
|
|
| `rbac.list_cluster_role_binding()` | List all ClusterRoleBindings |
|
|
| `rbac.list_namespaced_role(ns)` | List Roles in namespace |
|
|
| `rbac.list_namespaced_role_binding(ns)` | List RoleBindings in namespace |
|
|
|
|
## ClusterRole Rule Structure
|
|
```python
|
|
role.rules[0].verbs # ["get", "list", "watch"]
|
|
role.rules[0].resources # ["pods", "secrets"]
|
|
role.rules[0].api_groups # ["", "apps"]
|
|
```
|
|
|
|
## Dangerous RBAC Permissions
|
|
| Permission | Risk |
|
|
|------------|------|
|
|
| `* / *` (all verbs, resources) | Full cluster admin |
|
|
| `create` on `pods/exec` | Remote code execution |
|
|
| `get` on `secrets` | Credential theft |
|
|
| `bind` on `clusterroles` | Privilege escalation |
|
|
| `impersonate` on users | Identity spoofing |
|
|
| `escalate` on roles | Self-privilege escalation |
|
|
|
|
## Subject Types
|
|
| Kind | Description |
|
|
|------|-------------|
|
|
| User | Human user identity |
|
|
| Group | User group (e.g., system:authenticated) |
|
|
| ServiceAccount | Pod identity |
|
|
|
|
## Risky Groups
|
|
| Group | Risk |
|
|
|-------|------|
|
|
| `system:unauthenticated` | Anonymous access |
|
|
| `system:authenticated` | Any authenticated user |
|
|
| `system:masters` | Full cluster admin |
|
|
|
|
## kubectl RBAC Commands
|
|
```bash
|
|
kubectl auth can-i --list
|
|
kubectl get clusterrolebindings -o json
|
|
kubectl auth can-i create pods --as=system:serviceaccount:default:default
|
|
```
|