Skip to content

Commit

Permalink
Fix role-bind attack (#299)
Browse files Browse the repository at this point in the history 
* fix role-bind attack

* Fixing non large cluster optimization (limiting to runid)
  • Loading branch information
@jt-dd
jt-dd authored Dec 3, 2024
1 parent 0d76841 commit 7dd7f32
Show file tree
Hide file tree
Showing 7 changed files with 32 additions and 27 deletions.
3 changes: 2 additions & 1 deletion pkg/kubehound/graph/edge/pod_create.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ func (e *PodCreate) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("Node").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Node").
As("n").
V(inserts...).
Expand Down
3 changes: 2 additions & 1 deletion pkg/kubehound/graph/edge/pod_exec.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ func (e *PodExec) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("Pod").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Pod").
As("p").
V(inserts...).
Expand Down
3 changes: 2 additions & 1 deletion pkg/kubehound/graph/edge/pod_patch.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,8 @@ func (e *PodPatch) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("Pod").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Pod").
As("p").
V(inserts...).
Expand Down
18 changes: 8 additions & 10 deletions pkg/kubehound/graph/edge/role_bind_crb_cr_cr.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/DataDog/KubeHound/pkg/kubehound/graph/adapter"
"github.com/DataDog/KubeHound/pkg/kubehound/graph/types"
"github.com/DataDog/KubeHound/pkg/kubehound/models/converter"
"github.com/DataDog/KubeHound/pkg/kubehound/risk"
"github.com/DataDog/KubeHound/pkg/kubehound/storage/cache"
"github.com/DataDog/KubeHound/pkg/kubehound/storage/storedb"
"github.com/DataDog/KubeHound/pkg/kubehound/store/collections"
Expand Down Expand Up @@ -53,19 +52,16 @@ func (e *RoleBindCrbCrCr) Traversal() types.EdgeTraversal {
return func(source *gremlin.GraphTraversalSource, inserts []any) *gremlin.GraphTraversal {
g := source.GetGraphTraversal()

// Gathering all sensitives roles
sensitiveRoles := make([]string, 0, len(risk.CriticalRoleMap))
for k := range risk.CriticalRoleMap {
sensitiveRoles = append(sensitiveRoles, k)
}

if e.cfg.LargeClusterOptimizations {
// For larger clusters simply target specific roles to reduce number of attack paths
g.V().
HasLabel("PermissionSet").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "PermissionSet").
Has("isNamespaced", false).
// Temporary measure, until we scan and flag for sensitive roles
Has("role", P.Within(sensitiveRoles)).
Has("critical", true).
// Has("role", P.Within(sensitiveRoles)).
As("r").
V(inserts...).
Has("critical", false).
Expand All @@ -75,7 +71,9 @@ func (e *RoleBindCrbCrCr) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("PermissionSet").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "PermissionSet").
Has("isNamespaced", false).
As("i").
V(inserts...).
Expand Down
18 changes: 8 additions & 10 deletions pkg/kubehound/graph/edge/role_bind_crb_cr_r.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"github.com/DataDog/KubeHound/pkg/kubehound/graph/adapter"
"github.com/DataDog/KubeHound/pkg/kubehound/graph/types"
"github.com/DataDog/KubeHound/pkg/kubehound/models/converter"
"github.com/DataDog/KubeHound/pkg/kubehound/risk"
"github.com/DataDog/KubeHound/pkg/kubehound/storage/cache"
"github.com/DataDog/KubeHound/pkg/kubehound/storage/storedb"
"github.com/DataDog/KubeHound/pkg/kubehound/store/collections"
Expand Down Expand Up @@ -53,19 +52,16 @@ func (e *RoleBindCrbCrR) Traversal() types.EdgeTraversal {
return func(source *gremlin.GraphTraversalSource, inserts []any) *gremlin.GraphTraversal {
g := source.GetGraphTraversal()

// Gathering all sensitives roles
sensitiveRoles := make([]string, 0, len(risk.CriticalRoleMap))
for k := range risk.CriticalRoleMap {
sensitiveRoles = append(sensitiveRoles, k)
}

if e.cfg.LargeClusterOptimizations {
// For larger clusters simply target specific roles to reduce number of attack paths
g.V().
HasLabel("PermissionSet").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "PermissionSet").
Has("isNamespaced", true).
// Temporary measure, until we scan and flag for sensitive roles
Has("role", P.Within(sensitiveRoles)).
Has("critical", true).
// Has("role", P.Within(sensitiveRoles)).
As("r").
V(inserts...).
Has("critical", false).
Expand All @@ -75,7 +71,9 @@ func (e *RoleBindCrbCrR) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("PermissionSet").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "PermissionSet").
Has("isNamespaced", true).
As("i").
V(inserts...).
Expand Down
7 changes: 5 additions & 2 deletions pkg/kubehound/graph/edge/token_bruteforce.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ func (e *TokenBruteforce) Traversal() types.EdgeTraversal {
if e.cfg.LargeClusterOptimizations {
// For larger clusters simply target the system:masters group to reduce redundant attack paths
g.V().
HasLabel("Identity").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Identity").
Has("name", "system:masters").
As("i").
V(inserts...).
Expand All @@ -75,7 +77,8 @@ func (e *TokenBruteforce) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("Identity").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Identity").
As("i").
V(inserts...).
Expand Down
7 changes: 5 additions & 2 deletions pkg/kubehound/graph/edge/token_list.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,9 @@ func (e *TokenList) Traversal() types.EdgeTraversal {
if e.cfg.LargeClusterOptimizations {
// For larger clusters simply target the system:masters group to reduce redundant attack paths
g.V().
HasLabel("Identity").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Identity").
Has("name", "system:masters").
As("i").
V(inserts...).
Expand All @@ -75,7 +77,8 @@ func (e *TokenList) Traversal() types.EdgeTraversal {
} else {
// In smaller clusters we can still show the (large set of) attack paths generated by this attack
g.V().
HasLabel("Identity").
Has("runID", e.runtime.RunID.String()).
Has("cluster", e.runtime.ClusterName).
Has("class", "Identity").
As("i").
V(inserts...).
Expand Down

0 comments on commit 7dd7f32

Please sign in to comment.