-
-
Save misberner/e76fd084dae97a33eef892536954bf9d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
######### | |
# Usage # | |
######### | |
if [ "$1" = "-h" ]; then | |
cat <<EOF | |
$0 [CONTEXT] -- Find all (Cluster)RoleBindings applying to unauthenticated users in a Kubernetes cluster | |
CONTEXT: context to use for kubectl | |
EOF | |
exit 1 | |
fi | |
kubectl_cmd=(kubectl) | |
function _kubectl() { | |
"${kubectl_cmd[@]}" "$@" | |
} | |
if [ ! -z "$1" ]; then | |
context="$1" | |
# Tests if the context exists. If it does, all output is suppressed, otherwise we print the error | |
# from kubectl and exit with an error code. | |
kubectl config get-contexts --no-headers "$context" >/dev/null || exit 1 | |
kubectl_cmd+=("--context=$context") | |
fi | |
set -u | |
################ | |
# Check for jq # | |
################ | |
if ! command -v jq > /dev/null; then | |
echo "Please install the jq JSON parser (https://stedolan.github.io/jq/)" | |
exit 1 | |
fi | |
# When k8s apiserver is run with the flag "--anonymous-auth=true" (still the | |
# default as of Kubernetes 1.16), unauthenticated connections are allowed to | |
# k8s API endpoint, corresponding to the user "system:anonymous" and the | |
# group "system:unauthenticated" in Kubernetes RBAC. | |
# See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests | |
# When k8s kubelet is run with the flag "--anonymous-auth=true" (still the | |
# default as of Kubernetes 1.16), unauthenticated connections are allowed to | |
# kubelet HTTP endpoints. corresponding to the user "system:anonymous" and the | |
# group "system:unauthenticated" in Kubernetes RBAC. | |
# See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/ | |
echo "Checking ClusterRoleBindings" | |
_kubectl get clusterrolebindings -o json | jq -r ' | |
.items[] | ( | |
(select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:anonymous user"), | |
(select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:unauthenticated group") | |
)' | |
echo "Checking RoleBindings" | |
_kubectl get rolebindings --all-namespaces -o json | jq -r ' | |
.items[] | ( | |
(select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:anonymous user"), | |
(select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:unauthenticated group") | |
)' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment