kube_auto_analyzer 0.0.13 → 0.0.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 6942a3c49b753679c8a0e5f3822792ef6ff48eb9d4e053ef912f71e27a445fa2
|
|
4
|
+
data.tar.gz: 0a7721a4baf81d4655c76d264cc2a2a62358b9f4a1129441e8c9ae3bb6d1a42a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 304c20becfe0d4b891577ff79450b6160f66d9472b572ffc64c8ea9f60854cb687e4c447e9931936a53fbc54cc307256d3b73e656334f0a8a8e2c08f017def80
|
|
7
|
+
data.tar.gz: ec5669b731a1835a6dbde5a259b2f90a6ab418152dde5778a74d2c2024fa136f7249c52a1975629c6ca9047a300dee9759b6163759c2c9fd318fc37bde7f5531
|
data/bin/kubeautoanalyzer
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
options.insecure = false
|
|
18
18
|
options.context = false
|
|
19
19
|
options.nosslverify = false
|
|
20
|
+
options.dump_config = false
|
|
20
21
|
|
|
21
22
|
opts = OptionParser.new do |opts|
|
|
22
23
|
opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
|
|
@@ -28,6 +29,10 @@
|
|
|
28
29
|
options.config_file = file
|
|
29
30
|
end
|
|
30
31
|
|
|
32
|
+
opts.on("-d", "--dump [DUMP]", "Dump cluster config into report") do |dump|
|
|
33
|
+
options.dump_config = true
|
|
34
|
+
end
|
|
35
|
+
|
|
31
36
|
opts.on("--context [CONTEXT]", "context to use from kubeconfig") do |context|
|
|
32
37
|
options.context = context
|
|
33
38
|
end
|
data/lib/kube_auto_analyzer.rb
CHANGED
|
@@ -2,6 +2,7 @@ module KubeAutoAnalyzer
|
|
|
2
2
|
attr_accessor :execute
|
|
3
3
|
require "kube_auto_analyzer/version"
|
|
4
4
|
require "kube_auto_analyzer/api_checks/master_node"
|
|
5
|
+
require "kube_auto_analyzer/api_checks/config_dumper"
|
|
5
6
|
require "kube_auto_analyzer/reporting"
|
|
6
7
|
require "kube_auto_analyzer/agent_checks/file_checks"
|
|
7
8
|
require "kube_auto_analyzer/agent_checks/process_checks"
|
|
@@ -117,6 +118,9 @@ module KubeAutoAnalyzer
|
|
|
117
118
|
check_kubelet_process
|
|
118
119
|
check_amicontained
|
|
119
120
|
end
|
|
121
|
+
if @options.dump_config
|
|
122
|
+
dump_config
|
|
123
|
+
end
|
|
120
124
|
if @options.html_report
|
|
121
125
|
html_report
|
|
122
126
|
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module KubeAutoAnalyzer
|
|
2
|
+
def self.dump_config
|
|
3
|
+
@log.debug("Entering the config dumper module")
|
|
4
|
+
target = @options.target_server
|
|
5
|
+
@log.debug("dumping the config for #{target}")
|
|
6
|
+
@results[target][:config] = Hash.new
|
|
7
|
+
pods = @client.get_pods
|
|
8
|
+
docker_images = Array.new
|
|
9
|
+
#Specific requirement here in that it's useful to know what Docker images are in use on the cluster.
|
|
10
|
+
pods.each do |pod|
|
|
11
|
+
docker_images << pod.status[:containerStatuses][0][:image]
|
|
12
|
+
end
|
|
13
|
+
@log.debug("logged #{docker_images.length} docker images")
|
|
14
|
+
@results[target][:config][:docker_images] = docker_images.uniq
|
|
15
|
+
|
|
16
|
+
@results[target][:config][:pod_info] = Array.new
|
|
17
|
+
|
|
18
|
+
#Lets record some information about each pod
|
|
19
|
+
pods.each do |pod|
|
|
20
|
+
currpod = Hash.new
|
|
21
|
+
currpod[:name] = pod.metadata[:name]
|
|
22
|
+
currpod[:namespace] = pod.metadata[:namespace]
|
|
23
|
+
currpod[:service_account] = pod.spec[:serviceAccount]
|
|
24
|
+
currpod[:host_ip] = pod[:status][:hostIP]
|
|
25
|
+
currpod[:pod_ip] = pod[:status][:podIP]
|
|
26
|
+
@results[target][:config][:pod_info] << currpod
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -259,6 +259,27 @@ module KubeAutoAnalyzer
|
|
|
259
259
|
@results[@options.target_server]['evidence'].each do |area, output|
|
|
260
260
|
@html_report_file.puts "<tr><td>#{area}</td><td>#{output}</td></tr>"
|
|
261
261
|
end
|
|
262
|
+
@html_report_file.puts "</table>"
|
|
263
|
+
|
|
264
|
+
#Only show this section if we were asked to dump the config
|
|
265
|
+
if @options.dump_config
|
|
266
|
+
@html_report_file.puts "<br><br>"
|
|
267
|
+
@html_report_file.puts "<br><br><h2>Cluster Config Information</h2>"
|
|
268
|
+
@html_report_file.puts "<table><thead><tr><th>Docker Images In Use</th></tr></thead>"
|
|
269
|
+
@results[@options.target_server][:config][:docker_images].each do |image|
|
|
270
|
+
@html_report_file.puts "<tr><td>#{image}</td></tr>"
|
|
271
|
+
end
|
|
272
|
+
@html_report_file.puts "</table>"
|
|
273
|
+
@html_report_file.puts "<br><br>"
|
|
274
|
+
@html_report_file.puts "<table><thead><tr><th>Pod Name</th><th>Namespace</th><th>Service Account</th><th>Host IP</th><th>Pod IP</th></tr></thead>"
|
|
275
|
+
@results[@options.target_server][:config][:pod_info].each do |pod|
|
|
276
|
+
@html_report_file.puts "<tr><td>#{pod[:name]}</td><td>#{pod[:namespace]}</td><td>#{pod[:service_account]}</td><td>#{pod[:host_ip]}</td><td>#{pod[:pod_ip]}</td></tr>"
|
|
277
|
+
end
|
|
278
|
+
@html_report_file.puts "</table>"
|
|
279
|
+
@html_report_file.puts "<br><br>"
|
|
280
|
+
end
|
|
281
|
+
|
|
282
|
+
|
|
262
283
|
#Close the master Node Div
|
|
263
284
|
@html_report_file.puts "</table></div>"
|
|
264
285
|
if @options.agent_checks
|
|
@@ -331,7 +352,7 @@ module KubeAutoAnalyzer
|
|
|
331
352
|
@html_report_file.puts '<br><h3>External Unauthenticated Access to the Kubelet</h3>'
|
|
332
353
|
@html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
|
|
333
354
|
@results[@options.target_server]['vulns']['unauth_kubelet'].each do |node, result|
|
|
334
|
-
unless (result =~ /Forbidden/ || result =~ /Not Open/)
|
|
355
|
+
unless (result =~ /Forbidden/ || result =~ /Not Open/ || result =~ /Unauthorized/)
|
|
335
356
|
output = "Vulnerable"
|
|
336
357
|
else
|
|
337
358
|
output = result
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_auto_analyzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.14
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rory McCune
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -67,6 +67,7 @@ files:
|
|
|
67
67
|
- lib/kube_auto_analyzer.rb
|
|
68
68
|
- lib/kube_auto_analyzer/agent_checks/file_checks.rb
|
|
69
69
|
- lib/kube_auto_analyzer/agent_checks/process_checks.rb
|
|
70
|
+
- lib/kube_auto_analyzer/api_checks/config_dumper.rb
|
|
70
71
|
- lib/kube_auto_analyzer/api_checks/master_node.rb
|
|
71
72
|
- lib/kube_auto_analyzer/data-logo.b64
|
|
72
73
|
- lib/kube_auto_analyzer/js_files/chartkick.js
|
|
@@ -99,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
99
100
|
version: '0'
|
|
100
101
|
requirements: []
|
|
101
102
|
rubyforge_project:
|
|
102
|
-
rubygems_version: 2.
|
|
103
|
+
rubygems_version: 2.7.7
|
|
103
104
|
signing_key:
|
|
104
105
|
specification_version: 4
|
|
105
106
|
summary: A Gem which provides a script and class analyze the security of a Kubernetes
|