creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 06:34:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/auditing-kubernetes-cluster-rbac/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

73 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Auditing Kubernetes Cluster RBAC
## kubernetes (Python Client)
### Configuration
```python
from kubernetes import client, config
config.load_kube_config() # From ~/.kube/config
# or
config.load_incluster_config() # Inside a pod
```
### List ClusterRoles
```python
rbac = client.RbacAuthorizationV1Api()
roles = rbac.list_cluster_role()
for role in roles.items:
print(role.metadata.name)
for rule in role.rules or []:
print(f" verbs={rule.verbs} resources={rule.resources}")
```
### List ClusterRoleBindings
```python
bindings = rbac.list_cluster_role_binding()
for b in bindings.items:
print(b.metadata.name, "->", b.role_ref.name)
for s in b.subjects or []:
print(f" {s.kind}: {s.name}")
```
### List Pods (Security Context)
```python
v1 = client.CoreV1Api()
pods = v1.list_pod_for_all_namespaces()
for pod in pods.items:
for c in pod.spec.containers:
sc = c.security_context
if sc and sc.privileged:
print(f"PRIVILEGED: {pod.metadata.namespace}/{pod.metadata.name}")
```
## Key RBAC Resources
| Resource | API | Description |
|----------|-----|-------------|
| ClusterRole | `rbac.list_cluster_role()` | Cluster-wide permission definitions |
| ClusterRoleBinding | `rbac.list_cluster_role_binding()` | Binds roles to subjects cluster-wide |
| Role | `rbac.list_namespaced_role(ns)` | Namespace-scoped permissions |
| RoleBinding | `rbac.list_namespaced_role_binding(ns)` | Namespace-scoped binding |
| ServiceAccount | `v1.list_service_account_for_all_namespaces()` | Pod identities |
## Dangerous RBAC Patterns to Detect
| Pattern | Risk |
|---------|------|
| `verbs: ["*"], resources: ["*"]` | Equivalent to cluster-admin |
| `resources: ["secrets"], verbs: ["get"]` | Can read all secrets |
| `resources: ["pods/exec"]` | Can exec into containers |
| `subjects: system:authenticated` | All users get this role |
| `automountServiceAccountToken: true` | Token available in pod |
### References
- kubernetes Python client: https://pypi.org/project/kubernetes/
- K8s RBAC docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- KubiScan: https://github.com/cyberark/KubiScan
Reference in New Issue View Git Blame Copy Permalink