audit2rbac
audit2rbac is an open-source tool that automatically generates Kubernetes RBAC policies based on actual API server audit logs. Instead of manually crafting Role and ClusterRole resources, audit2rbac analyzes recorded API requests to produce minimal, least-privilege RBAC configurations that match real-world usage patterns.
This approach eliminates guesswork when defining permissions and ensures that generated policies grant only the access that was actually needed during the observed period.
Use Cases
- Generate RBAC policies for service accounts based on their actual API usage.
- Migrate from overly permissive RBAC configurations to least-privilege policies.
- Audit existing workloads to understand their true permission requirements.
- Create baseline RBAC policies during development and testing phases.
- Validate that workloads are not requesting more permissions than they use.
Installation
Install audit2rbac from the official GitHub releases:
# Download the latest release (Linux/amd64)
curl -L https://github.com/liggitt/audit2rbac/releases/download/v0.9.0/audit2rbac-linux-amd64.tar.gz | tar xz
chmod +x audit2rbac
sudo mv audit2rbac /usr/local/bin/
For macOS:
curl -L https://github.com/liggitt/audit2rbac/releases/download/v0.9.0/audit2rbac-darwin-amd64.tar.gz | tar xz
chmod +x audit2rbac
sudo mv audit2rbac /usr/local/bin/
Prerequisites
audit2rbac requires Kubernetes API server audit logging to be enabled. Configure the API server with an audit policy:
Audit Policy Example
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: RequestResponse
users: ["system:serviceaccount:*:*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
resources:
- group: ""
resources: ["*"]
- group: "apps"
resources: ["*"]
Enable audit logging on the API server:
--audit-policy-file=/etc/kubernetes/audit-policy.yaml
--audit-log-path=/var/log/kubernetes/audit.log
--audit-log-maxage=30
--audit-log-maxbackup=10
--audit-log-maxsize=100
Usage Examples
Generate RBAC for a Service Account
Analyze audit logs and generate RBAC for a specific service account:
audit2rbac --filename=/var/log/kubernetes/audit.log \
--serviceaccount=my-namespace:my-service-account
Generate ClusterRole for a User
audit2rbac --filename=/var/log/kubernetes/audit.log \
--user=jane@example.com
Output to File
audit2rbac --filename=/var/log/kubernetes/audit.log \
--serviceaccount=production:app-sa \
> generated-rbac.yaml
Generate Namespace-Scoped Role
By default, audit2rbac generates ClusterRoles. To generate namespace-scoped Roles:
audit2rbac --filename=/var/log/kubernetes/audit.log \
--serviceaccount=my-namespace:my-sa \
--generate-kind=Role \
--generate-name=my-sa-role
Example Output
Running audit2rbac produces RBAC manifests ready for deployment:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: my-sa-role
namespace: my-namespace
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["my-secret"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: my-sa-role-binding
namespace: my-namespace
subjects:
- kind: ServiceAccount
name: my-sa
namespace: my-namespace
roleRef:
kind: Role
name: my-sa-role
apiGroup: rbac.authorization.k8s.io
Best Practices
- Collect sufficient audit data: Run audit2rbac against logs that cover all expected workload operations, including startup, steady-state, and edge cases.
- Review generated policies: Always review generated RBAC before applying to production to ensure no unexpected permissions are included.
- Use resource names when possible: audit2rbac can generate rules with specific
resourceNamesfor finer-grained access control. - Iterate over time: Regenerate policies periodically as workload requirements evolve.
- Combine with policy enforcement: Use generated policies alongside tools like OPA Gatekeeper or Kyverno to enforce RBAC best practices.
Limitations
- Requires audit logging to be enabled on the Kubernetes API server.
- Only captures API requests that occurred during the audit period.
- Does not account for future permission requirements or code changes.
- Generated policies reflect observed behavior, which may include unnecessary access patterns.
References
This article is based on information from the following official sources:
- audit2rbac GitHub Repository - GitHub
- Auditing - Kubernetes Documentation
- Using RBAC Authorization - Kubernetes Documentation