Skip to content

Commit 2de1d94

Browse files
christophetdchristophetd
committed
Align docs with output
1 parent 58b25d5 commit 2de1d94

File tree

2 files changed

+33
-25
lines changed

2 files changed

+33
-25
lines changed

README.md

Lines changed: 32 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,10 @@ analysis](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/actions
77
MKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments. It is focused on Amazon EKS at the moment, and will be extended to other managed Kubernetes environments in the future.
88

99
Features:
10-
- 🔎 [Identify trust relationships between K8s service accounts and AWS IAM roles](#identify-trust-relationships-between-k8s-service-accounts-and-aws-iam-roles)
10+
- 🔎 [Identify trust relationships between K8s service accounts and AWS IAM roles](#identify-trust-relationships-between-k8s-service-accounts-and-aws-iam-roles) - supports both IAM Roles for Service Accounts (IRSA), and [Pod Identity]((https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/) ([released] on November 26th 2023)
1111
- 🔑 [Find hardcoded AWS credentials in K8s resources](#find-hardcoded-aws-credentials-in-k8s-resources)
1212
- 💀 [Test if pods can access the AWS Instance Metadata Service (IMDS)](#test-if-pods-can-access-the-aws-instance-metadata-service-imds)
1313

14-
_Note: At the time, MKAT doesn't support EKS Pod Identity, [released](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/) on November 26th 2023. Watch [#13] for updates._
15-
1614
## Installation
1715

1816
```bash
@@ -33,35 +31,45 @@ aws eks update-kubeconfig --name <cluster-name>
3331

3432
### Identify trust relationships between K8s service accounts and AWS IAM roles
3533

36-
[IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) is
37-
a popular mechanism to allow pods to assume AWS IAM roles, by exchanging a Kubernetes service account token for AWS credentials through the AWS STS API (`AssumeRoleWithWebIdentity`).
34+
MKAT can identify the trust relationships between K8s service accounts and AWS IAM roles, and display them in a table or as a graph. It currently supports:
35+
36+
- **[IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)**,
37+
a popular mechanism to allow pods to assume AWS IAM roles by exchanging a Kubernetes service account token for AWS credentials through the AWS STS API (`AssumeRoleWithWebIdentity`).
38+
- **[EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html)**, another newer mechanism that works in a similar way, but is easier to set up.
3839

39-
MKAT can identify the trust relationships between K8s service accounts and AWS IAM roles, and display them in a table or as a graph.
40-
It works by looking both at the trust policy of the IAM roles, and at the service accounts that are associated with the pods running in the cluster.
40+
MKAT works by analyzing both the IAM roles in the AWS account, and the K8s service accounts in the cluster, and then matching them together based on these two mechanisms.
4141

4242
```bash
4343
$ mkat eks find-role-relationships
44-
_ _
45-
_ __ ___ | | __ __ _ | |_
44+
_ __ ___ | | __ __ _ | |_
4645
| '_ ` _ \ | |/ / / _` | | __|
4746
| | | | | | | < | (_| | | |_
4847
|_| |_| |_| |_|\_\ \__,_| \__|
4948
50-
2023/04/12 00:25:15 Connected to EKS cluster mkat-cluster
51-
2023/04/12 00:25:15 Retrieving cluster OIDC issuer
52-
2023/04/12 00:25:16 Listing roles in the AWS account
53-
2023/04/12 00:25:18 Listing K8s service accounts in all namespaces
54-
2023/04/12 00:25:19 Analyzing the trust policy of 5 IAM roles that have the cluster's OIDC provider in their trust policy
55-
+-----------+----------------------+-------------------+-------------------------------------------------------+
56-
| NAMESPACE | SERVICE ACCOUNT | POD | ASSUMABLE ROLE ARN |
57-
+-----------+----------------------+-------------------+-------------------------------------------------------+
58-
| default | apigw-sa | apigw | arn:aws:iam::677301038893:role/apigw-role |
59-
| | | | arn:aws:iam::677301038893:role/s3-reader |
60-
| | inventory-service-sa | inventory-service | arn:aws:iam::677301038893:role/inventory-service-role |
61-
| | | | arn:aws:iam::677301038893:role/s3-reader |
62-
| | kafka-proxy-sa | kafka-proxy | arn:aws:iam::677301038893:role/kafka-proxy-role |
63-
| | rate-limiter-sa | rate-limiter | arn:aws:iam::677301038893:role/rate-limiter-role |
64-
+-----------+----------------------+-------------------+-------------------------------------------------------+
49+
2023/11/28 21:05:59 Connected to EKS cluster mkat-cluster
50+
2023/11/28 21:05:59 Retrieving cluster information
51+
2023/11/28 21:06:00 Listing K8s service accounts in all namespaces
52+
2023/11/28 21:06:02 Listing roles in the AWS account
53+
2023/11/28 21:06:03 Found 286 IAM roles in the AWS account
54+
2023/11/28 21:06:03 Analyzing IAM Roles For Service Accounts (IRSA) configuration
55+
2023/11/28 21:06:03 Analyzing Pod Identity configuration of your cluster
56+
2023/11/28 21:06:04 Analyzing namespace microservices which has 1 Pod Identity associations
57+
2023/11/28 21:06:04 Adding assumable role arn:aws:iam::677301038893:role/webserver-role to pod rate-limiter-1 in namespace microservices
58+
+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+
59+
| NAMESPACE | SERVICE ACCOUNT | POD | ASSUMABLE ROLE | MECHANISM |
60+
+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+
61+
| microservices | inventory-service-sa | inventory-service | inventory-service-role | IAM Roles for Service Accounts |
62+
| | | | s3-backup-role | IAM Roles for Service Accounts |
63+
| | rate-limiter-sa | rate-limiter-1 | rate-limiter-role | IAM Roles for Service Accounts |
64+
| | | | webserver-role | Pod Identity |
65+
| | | rate-limiter-2 | rate-limiter-role | IAM Roles for Service Accounts |
66+
| | | | webserver-role | Pod Identity |
67+
+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+
68+
| default | vulnerable-application-sa | vulnerable-application | vulnerable-application-role | IAM Roles for Service Accounts |
69+
| | webserver-sa | webserver | webserver-role | IAM Roles for Service Accounts |
70+
+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+
71+
| external-secrets | external-secrets-sa | external-secrets-66cfb84c9b-kldt9 | ExternalSecretsRole | IAM Roles for Service Accounts |
72+
+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+
6573
```
6674
6775
It can also generate a `dot` output for graphic visualization:

cmd/managed-kubernetes-auditing-toolkit/eks/role_relationships.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,7 @@ func getTextOutput(resolver *role_relationships.EKSCluster) (string, error) {
119119
{Number: 2, AutoMerge: true, VAlign: text.VAlignMiddle},
120120
{Number: 3, AutoMerge: true, VAlign: text.VAlignMiddle},
121121
})
122-
t.AppendHeader(table.Row{"Namespace", "Service Account", "Pod", "Assumable Role ARN", "Mechanism"})
122+
t.AppendHeader(table.Row{"Namespace", "Service Account", "Pod", "Assumable Role", "Mechanism"})
123123
var found = false
124124
for namespace, pods := range resolver.PodsByNamespace {
125125
for _, pod := range pods {

0 commit comments

Comments
 (0)