Skip to content

Instantly share code, notes, and snippets.

@misberner misberner/anonymous-bindings.sh Secret
Last active Oct 23, 2019

Embed
What would you like to do?
#!/usr/bin/env bash
set -e
#########
# Usage #
#########
if [ "$1" = "-h" ]; then
cat <<EOF
$0 [CONTEXT] -- Find all (Cluster)RoleBindings applying to unauthenticated users in a Kubernetes cluster
CONTEXT: context to use for kubectl
EOF
exit 1
fi
kubectl_cmd=(kubectl)
function _kubectl() {
"${kubectl_cmd[@]}" "$@"
}
if [ ! -z "$1" ]; then
context="$1"
# Tests if the context exists. If it does, all output is suppressed, otherwise we print the error
# from kubectl and exit with an error code.
kubectl config get-contexts --no-headers "$context" >/dev/null || exit 1
kubectl_cmd+=("--context=$context")
fi
set -u
################
# Check for jq #
################
if ! command -v jq > /dev/null; then
echo "Please install the jq JSON parser (https://stedolan.github.io/jq/)"
exit 1
fi
# When k8s apiserver is run with the flag "--anonymous-auth=true" (still the
# default as of Kubernetes 1.16), unauthenticated connections are allowed to
# k8s API endpoint, corresponding to the user "system:anonymous" and the
# group "system:unauthenticated" in Kubernetes RBAC.
# See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests
# When k8s kubelet is run with the flag "--anonymous-auth=true" (still the
# default as of Kubernetes 1.16), unauthenticated connections are allowed to
# kubelet HTTP endpoints. corresponding to the user "system:anonymous" and the
# group "system:unauthenticated" in Kubernetes RBAC.
# See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/
echo "Checking ClusterRoleBindings"
_kubectl get clusterrolebindings -o json | jq -r '
.items[] | (
(select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:anonymous user"),
(select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:unauthenticated group")
)'
echo "Checking RoleBindings"
_kubectl get rolebindings --all-namespaces -o json | jq -r '
.items[] | (
(select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:anonymous user"),
(select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:unauthenticated group")
)'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.