kube-chainsaw¶
Graph-level RBAC analysis for Kubernetes manifests
Demo¶
How It Works¶
kube-chainsaw analyzes Kubernetes RBAC manifests by building a directed graph of permissions and traversing privilege escalation paths.
graph LR
subgraph Input
A[YAML Manifests]
end
subgraph "kube-chainsaw"
B[Loader] --> C[Graph Builder]
C --> D[15 Detection Rules]
D --> E[Severity Engine]
end
subgraph Output
F[Console]
G[JSON]
H[SARIF 2.1.0]
end
A --> B
E --> F
E --> G
E --> H
Pipeline:
- Loader parses YAML manifests (ClusterRoles, Roles, Bindings, ServiceAccounts, Pods, Deployments, Jobs)
- Graph Builder maps SA -> Binding -> Role -> verb/resource permission chains
- 15 Detection Rules (KC-001 through KC-015) identify dangerous patterns, wildcards, escalation paths
- Severity Engine adjusts severity based on binding scope (cluster-wide vs namespace-scoped vs unbound)
Quick Example¶
Given a Kubernetes operator with overly permissive RBAC:
# roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: my-operator-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "update"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings"]
verbs: ["create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: my-operator-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: my-operator-role
subjects:
- kind: ServiceAccount
name: my-operator-sa
namespace: default
Run kube-chainsaw:
=== HIGH ===
[KC-006] Secrets access
File: config/roles.yaml
Resource: ClusterRole/my-operator-role
Description: Role "my-operator-role" grants access to dangerous resource "secrets"
Remediation: Restrict secrets access to specific namespaces and only the verbs needed
[KC-010] RBAC modification capability
File: config/roles.yaml
Resource: ClusterRole/my-operator-role
Description: Role "my-operator-role" grants access to dangerous resource "clusterrolebindings"
Remediation: Limit RBAC modification to dedicated admin roles with proper audit
[KC-011] Privilege escalation via role/binding modification
File: config/roles.yaml
Resource: ClusterRole/my-operator-role
Description: Role "my-operator-role" can create/modify roles or bindings (privilege escalation risk)
Remediation: Restrict ability to create/modify roles and bindings to admin users only
Total: 3 findings [3 HIGH]
Generate SARIF for GitHub Code Scanning:
Comparison¶
| Tool | Static Analysis | Graph Traversal | Privilege Chains | Workload Analysis |
|---|---|---|---|---|
| kube-chainsaw | ||||
| kube-linter | ||||
| KubiScan | ||||
| rbac-tool | ||||
| kubectl-who-can |
kube-chainsaw is the only tool that performs static graph traversal on YAML manifests to detect privilege escalation chains before deployment. No live cluster required.
Features¶
-
Graph Traversal
Builds SA -> Binding -> Role -> verb/resource permission graphs. Detects multi-hop privilege escalation paths that flat rule-based linters miss.
-
Static Analysis
Analyzes manifests before deployment. No runtime access required. Works in CI pipelines and local development.
-
SARIF Output
Native SARIF 2.1.0 for GitHub Code Scanning, GitLab SAST, and other security platforms. Includes fingerprints for deduplication.
-
CI-First Design
Exit codes, machine-readable output, and suppression files designed for automated security gates in CI/CD pipelines.
What Gets Detected¶
15 detection rules covering:
| Category | Rules | Examples |
|---|---|---|
| Wildcard permissions | KC-001, KC-002 | resources: ["*"], verbs: ["*"] |
| Dangerous verbs | KC-003, KC-004, KC-005 | escalate, impersonate, bind |
| Sensitive resources | KC-006 to KC-010 | secrets, pods/exec, nodes, PVs, clusterrolebindings |
| Escalation combos | KC-011, KC-012 | create/patch on roles/bindings, workload creation |
| Privilege chains | KC-013, KC-014 | cluster-admin pods, RoleBinding->ClusterRole |
| Aggregation | KC-015 | aggregated ClusterRoles |
See Detection Rules for the full reference with YAML examples.
