misberner/anonymous-bindings.sh Secret

## anonymous-bindings.sh
#!/usr/bin/env bash

set -e

#########
# Usage #
#########
if [ "$1" = "-h" ]; then
    cat <<EOF
$0 [CONTEXT] -- Find all (Cluster)RoleBindings applying to unauthenticated users in a Kubernetes cluster
    CONTEXT: context to use for kubectl
EOF
    exit 1
fi

kubectl_cmd=(kubectl)

function _kubectl() {
    "${kubectl_cmd[@]}" "$@"
}

if [ ! -z "$1" ]; then
    context="$1"
    # Tests if the context exists. If it does, all output is suppressed, otherwise we print the error
    # from kubectl and exit with an error code.
    kubectl config get-contexts --no-headers "$context" >/dev/null || exit 1
    kubectl_cmd+=("--context=$context")
fi

set -u

################
# Check for jq #
################
if ! command -v jq > /dev/null; then
    echo "Please install the jq JSON parser (https://stedolan.github.io/jq/)"
    exit 1
fi

# When k8s apiserver is run with the flag "--anonymous-auth=true" (still the
# default as of Kubernetes 1.16), unauthenticated connections are allowed to
# k8s API endpoint, corresponding to the user "system:anonymous" and the
# group "system:unauthenticated" in Kubernetes RBAC.
# See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests

# When k8s kubelet is run with the flag "--anonymous-auth=true" (still the
# default as of Kubernetes 1.16), unauthenticated connections are allowed to
# kubelet HTTP endpoints. corresponding to the user "system:anonymous" and the
# group "system:unauthenticated" in Kubernetes RBAC.
# See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/

echo "Checking ClusterRoleBindings"
_kubectl get clusterrolebindings -o json | jq -r '
    .items[] | (
        (select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:anonymous user"),
        (select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "ClusterRoleBinding " + .metadata.name + " binds the system:unauthenticated group")
    )'

echo "Checking RoleBindings"
_kubectl get rolebindings --all-namespaces -o json | jq -r '
    .items[] | (
        (select((.subjects // [])[] | select(.kind == "User" and .name == "system:anonymous") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:anonymous user"),
        (select((.subjects // [])[] | select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") | length > 0) | "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:unauthenticated group")
    )'
	#!/usr/bin/env bash

	set -e

	#########
	# Usage #
	#########
	if [ "$1" = "-h" ]; then
	cat <<EOF
	$0 [CONTEXT] -- Find all (Cluster)RoleBindings applying to unauthenticated users in a Kubernetes cluster
	CONTEXT: context to use for kubectl
	EOF
	exit 1
	fi

	kubectl_cmd=(kubectl)

	function _kubectl() {
	"${kubectl_cmd[@]}" "$@"
	}

	if [ ! -z "$1" ]; then
	context="$1"
	# Tests if the context exists. If it does, all output is suppressed, otherwise we print the error
	# from kubectl and exit with an error code.
	kubectl config get-contexts --no-headers "$context" >/dev/null \|\| exit 1
	kubectl_cmd+=("--context=$context")
	fi

	set -u

	################
	# Check for jq #
	################
	if ! command -v jq > /dev/null; then
	echo "Please install the jq JSON parser (https://stedolan.github.io/jq/)"
	exit 1
	fi

	# When k8s apiserver is run with the flag "--anonymous-auth=true" (still the
	# default as of Kubernetes 1.16), unauthenticated connections are allowed to
	# k8s API endpoint, corresponding to the user "system:anonymous" and the
	# group "system:unauthenticated" in Kubernetes RBAC.
	# See https://kubernetes.io/docs/reference/access-authn-authz/authentication/#anonymous-requests

	# When k8s kubelet is run with the flag "--anonymous-auth=true" (still the
	# default as of Kubernetes 1.16), unauthenticated connections are allowed to
	# kubelet HTTP endpoints. corresponding to the user "system:anonymous" and the
	# group "system:unauthenticated" in Kubernetes RBAC.
	# See https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/

	echo "Checking ClusterRoleBindings"
	_kubectl get clusterrolebindings -o json \| jq -r '
	.items[] \| (
	(select((.subjects // [])[] \| select(.kind == "User" and .name == "system:anonymous") \| length > 0) \| "ClusterRoleBinding " + .metadata.name + " binds the system:anonymous user"),
	(select((.subjects // [])[] \| select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") \| length > 0) \| "ClusterRoleBinding " + .metadata.name + " binds the system:unauthenticated group")
	)'

	echo "Checking RoleBindings"
	_kubectl get rolebindings --all-namespaces -o json \| jq -r '
	.items[] \| (
	(select((.subjects // [])[] \| select(.kind == "User" and .name == "system:anonymous") \| length > 0) \| "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:anonymous user"),
	(select((.subjects // [])[] \| select((.kind == "Group" or .kind == "SystemGroup") and .name == "system:unauthenticated") \| length > 0) \| "RoleBinding " + .metadata.name + " in namespace " + .metadata.namespace + " binds the system:unauthenticated group")
	)'