finds.dev← search

// the find

liggitt/audit2rbac

★ 1,112 · Go · NOASSERTION · updated Feb 2023

Autogenerate RBAC policies based on Kubernetes audit logs

audit2rbac reads Kubernetes audit logs and generates the minimum RBAC Role and RoleBinding objects needed to cover what a given user actually did. It's a bootstrap tool for teams that granted a service account or developer broad access during development and now need to lock it down properly. Written by a Kubernetes maintainer (Jordan Liggitt), so the API machinery understanding is solid.

The core idea is sound: observing real behavior to derive least-privilege policy is more reliable than guessing. Supports all three audit API versions (v1, v1beta1, v1alpha1), so it works against old clusters. Output is ready-to-apply YAML with generated labels, not pseudocode you still have to translate. The author works directly on Kubernetes RBAC, so edge cases around impersonation, service accounts, and resource subresources are handled correctly.

Last commit was February 2023 — Kubernetes has moved fast since, and there's no signal this is being maintained. The workflow requires you to first grant broad access to capture all API calls, which is the exact blast radius you're trying to avoid; in prod that's often not acceptable. It only handles what a user *did*, not what they *should* do — any code path not exercised during audit collection produces a policy gap. No support for aggregated ClusterRoles or generating policies for groups, only individual users and service accounts.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →