Files
Anthropic-Cybersecurity-Skills/skills/implementing-rbac-for-kubernetes-cluster.bak/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

2.7 KiB

API Reference: Kubernetes RBAC Configuration Audit

Libraries Used

Library Purpose
kubernetes Official Kubernetes Python client for RBAC API
json Parse and format RBAC audit results

Installation

pip install kubernetes

Authentication

from kubernetes import client, config

config.load_kube_config()
rbac_api = client.RbacAuthorizationV1Api()
core_api = client.CoreV1Api()

RBAC API Methods

Method Description
list_cluster_role() List all ClusterRoles
list_cluster_role_binding() List all ClusterRoleBindings
list_namespaced_role(namespace) List Roles in a namespace
list_namespaced_role_binding(namespace) List RoleBindings in namespace

Core Operations

List All ClusterRoleBindings

def list_all_bindings():
    bindings = rbac_api.list_cluster_role_binding()
    for b in bindings.items:
        subjects = [
            f"{s.kind}/{s.name}" for s in (b.subjects or [])
        ]
        print(f"{b.metadata.name} -> {b.role_ref.name}: {subjects}")

Audit Overprivileged Roles

def audit_overprivileged():
    roles = rbac_api.list_cluster_role()
    findings = []
    for role in roles.items:
        for rule in (role.rules or []):
            if rule.verbs and "*" in rule.verbs:
                findings.append({
                    "role": role.metadata.name,
                    "issue": "Wildcard verbs (*) — overly permissive",
                    "severity": "high",
                })
            if rule.resources and "*" in rule.resources:
                findings.append({
                    "role": role.metadata.name,
                    "issue": "Wildcard resources (*)",
                    "severity": "high",
                })
    return findings

Find Default Service Account Usage

def find_default_sa_usage():
    findings = []
    namespaces = core_api.list_namespace()
    for ns in namespaces.items:
        pods = core_api.list_namespaced_pod(ns.metadata.name)
        for pod in pods.items:
            sa = pod.spec.service_account_name
            if sa == "default":
                findings.append({
                    "namespace": ns.metadata.name,
                    "pod": pod.metadata.name,
                    "issue": "Using default service account",
                    "severity": "medium",
                })
    return findings

Output Format

{
  "cluster_roles": 45,
  "cluster_role_bindings": 38,
  "findings": [
    {
      "role": "custom-admin",
      "issue": "Wildcard verbs (*) — overly permissive",
      "severity": "high"
    }
  ]
}