mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 05:29:40 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
104 lines
2.7 KiB
Markdown
104 lines
2.7 KiB
Markdown
# API Reference: Kubernetes RBAC Configuration Audit
|
|
|
|
## Libraries Used
|
|
|
|
| Library | Purpose |
|
|
|---------|---------|
|
|
| `kubernetes` | Official Kubernetes Python client for RBAC API |
|
|
| `json` | Parse and format RBAC audit results |
|
|
|
|
## Installation
|
|
|
|
```bash
|
|
pip install kubernetes
|
|
```
|
|
|
|
## Authentication
|
|
|
|
```python
|
|
from kubernetes import client, config
|
|
|
|
config.load_kube_config()
|
|
rbac_api = client.RbacAuthorizationV1Api()
|
|
core_api = client.CoreV1Api()
|
|
```
|
|
|
|
## RBAC API Methods
|
|
|
|
| Method | Description |
|
|
|--------|-------------|
|
|
| `list_cluster_role()` | List all ClusterRoles |
|
|
| `list_cluster_role_binding()` | List all ClusterRoleBindings |
|
|
| `list_namespaced_role(namespace)` | List Roles in a namespace |
|
|
| `list_namespaced_role_binding(namespace)` | List RoleBindings in namespace |
|
|
|
|
## Core Operations
|
|
|
|
### List All ClusterRoleBindings
|
|
```python
|
|
def list_all_bindings():
|
|
bindings = rbac_api.list_cluster_role_binding()
|
|
for b in bindings.items:
|
|
subjects = [
|
|
f"{s.kind}/{s.name}" for s in (b.subjects or [])
|
|
]
|
|
print(f"{b.metadata.name} -> {b.role_ref.name}: {subjects}")
|
|
```
|
|
|
|
### Audit Overprivileged Roles
|
|
```python
|
|
def audit_overprivileged():
|
|
roles = rbac_api.list_cluster_role()
|
|
findings = []
|
|
for role in roles.items:
|
|
for rule in (role.rules or []):
|
|
if rule.verbs and "*" in rule.verbs:
|
|
findings.append({
|
|
"role": role.metadata.name,
|
|
"issue": "Wildcard verbs (*) — overly permissive",
|
|
"severity": "high",
|
|
})
|
|
if rule.resources and "*" in rule.resources:
|
|
findings.append({
|
|
"role": role.metadata.name,
|
|
"issue": "Wildcard resources (*)",
|
|
"severity": "high",
|
|
})
|
|
return findings
|
|
```
|
|
|
|
### Find Default Service Account Usage
|
|
```python
|
|
def find_default_sa_usage():
|
|
findings = []
|
|
namespaces = core_api.list_namespace()
|
|
for ns in namespaces.items:
|
|
pods = core_api.list_namespaced_pod(ns.metadata.name)
|
|
for pod in pods.items:
|
|
sa = pod.spec.service_account_name
|
|
if sa == "default":
|
|
findings.append({
|
|
"namespace": ns.metadata.name,
|
|
"pod": pod.metadata.name,
|
|
"issue": "Using default service account",
|
|
"severity": "medium",
|
|
})
|
|
return findings
|
|
```
|
|
|
|
## Output Format
|
|
|
|
```json
|
|
{
|
|
"cluster_roles": 45,
|
|
"cluster_role_bindings": 38,
|
|
"findings": [
|
|
{
|
|
"role": "custom-admin",
|
|
"issue": "Wildcard verbs (*) — overly permissive",
|
|
"severity": "high"
|
|
}
|
|
]
|
|
}
|
|
```
|