Kubernetes RBAC: Audit Your Cluster’s RBAC Configuration for Vulnerabilities

Learn how Aqua's open source tool, a `kubectl` plugin called `who-can`, finds vulnerabilities in your cluster's RBAC configuration.

Providing the right access to administer your Kubernetes cluster is crucial. It reduces exposure and vulnerability but is hard to manage and visualize with `kubectl` and the Kubernetes API directly. There are certain best practices to be applied, but those are typically not imposed by the default Kubernetes cluster deployments.

In this webinar we're going to show you an open source tool developed at Aqua, a `kubectl` plugin called `who-can`, for auditing your cluster's RBAC configuration to find some of the vulnerabilities. We’ll explain how to:

• Apply the principle of least privilege to Kubernetes RBAC policies
• Be specific when granting access to Kubernetes resources and verbs and avoid using wildcards '\*'
• Use Roles instead of ClusterRoles when possible
• Use ClusterRoles and ClusterRoleBindings in an eligible way
• Use `kubectl who-can` plugin to test whether your cluster is compliant with the above-mentioned best practices

Presented by:

Daniel Pacak
Open Source Engineer with Aqua Security