kube_auto_analyzer 0.0.14 → 0.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3821dec919c2353aae2223cc7650ddbe2c433a600f4c985423a5e3b42290ce06
|
|
4
|
+
data.tar.gz: 6252e63c3a26e503a2074990c8ad0a791634b742d898fded95311714e23ebaf6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 60780447ef3aa3769590660344d0f64fe6b8459ba5790c3b302bd929a39b5b0477e50c491cf7a7f3af8eadc5a3812718e12b0b027d1ef19df1161ce977dc7df3
|
|
7
|
+
data.tar.gz: b525c4f4862b6cedae986dce2249f9cab86dd549383a565da548c6aada26ce9424e3e9b052b4ea6e0c1240aac176a5c4c7d3293254059cd4afd48149eb88379f
|
data/bin/kubeautoanalyzer
CHANGED
|
@@ -18,6 +18,7 @@
|
|
|
18
18
|
options.context = false
|
|
19
19
|
options.nosslverify = false
|
|
20
20
|
options.dump_config = false
|
|
21
|
+
options.audit_rbac = false
|
|
21
22
|
|
|
22
23
|
opts = OptionParser.new do |opts|
|
|
23
24
|
opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
|
|
@@ -37,6 +38,10 @@
|
|
|
37
38
|
options.context = context
|
|
38
39
|
end
|
|
39
40
|
|
|
41
|
+
opts.on("--rbac", "Audit RBAC") do |rbac|
|
|
42
|
+
options.audit_rbac = true
|
|
43
|
+
end
|
|
44
|
+
|
|
40
45
|
opts.on("--nosslverify [NOVERIFY]", "disable SSL verification") do |noverify|
|
|
41
46
|
options.nosslverify = true
|
|
42
47
|
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
module KubeAutoAnalyzer
|
|
2
|
+
def self.audit_rbac
|
|
3
|
+
@log.debug("Entering the RBAC Auditor")
|
|
4
|
+
target = @options.target_server
|
|
5
|
+
@log.debug("Auditing RBAC on #{target}")
|
|
6
|
+
@results[target][:rbac] = Hash.new
|
|
7
|
+
cluster_roles = @rbac_client.get_cluster_roles
|
|
8
|
+
@log.debug("got #{cluster_roles.length.to_s} cluster roles")
|
|
9
|
+
cluster_role_bindings = @rbac_client.get_cluster_role_bindings
|
|
10
|
+
@log.debug("got #{cluster_role_bindings.length.to_s} cluster role bindings")
|
|
11
|
+
@results[target][:rbac][:cluster_roles] = Hash.new
|
|
12
|
+
cluster_roles.each do |role|
|
|
13
|
+
role_output = Hash.new
|
|
14
|
+
role_output[:rules] = role.rules
|
|
15
|
+
|
|
16
|
+
@log.debug("metadata in #{role.metadata[:name]} , #{role.metadata}")
|
|
17
|
+
begin
|
|
18
|
+
if role.metadata[:labels]['kubernetes.io/bootstrapping'] == "rbac-defaults"
|
|
19
|
+
role_output[:default] = true
|
|
20
|
+
else
|
|
21
|
+
role_output[:default] = false
|
|
22
|
+
end
|
|
23
|
+
rescue NoMethodError
|
|
24
|
+
#If there's no method, it can't be a default...
|
|
25
|
+
role_output[:default] = false
|
|
26
|
+
end
|
|
27
|
+
role_output[:subjects] = Array.new
|
|
28
|
+
cluster_role_bindings.each do |binding|
|
|
29
|
+
#So we're testing if the binding has any subjects and if so whether they apply to this role or not
|
|
30
|
+
if binding.subjects
|
|
31
|
+
@log.debug("#{binding.roleRef[:name]} binding has #{binding.subjects.length.to_s} bindings")
|
|
32
|
+
else
|
|
33
|
+
@log.debug("#{binding.roleRef[:name]} has no subjects")
|
|
34
|
+
end
|
|
35
|
+
@log.debug(binding.roleRef[:kind] + ", " + role.metadata[:name] + ", " + binding.roleRef[:name] + ", " + (binding.subjects ? binding.subjects.length.to_s : "0") )
|
|
36
|
+
if binding.roleRef[:kind] == "ClusterRole"
|
|
37
|
+
@log.debug("Matched the cluster role")
|
|
38
|
+
if binding.roleRef[:name] == role.metadata[:name]
|
|
39
|
+
@log.debug("matched the role name")
|
|
40
|
+
if binding.subjects
|
|
41
|
+
binding.subjects.each do |subject|
|
|
42
|
+
@log.debug("added a subject to the list")
|
|
43
|
+
role_output[:subjects] << subject
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
@results[target][:rbac][:cluster_roles][role.metadata[:name]] = role_output
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
@@ -279,6 +279,35 @@ module KubeAutoAnalyzer
|
|
|
279
279
|
@html_report_file.puts "<br><br>"
|
|
280
280
|
end
|
|
281
281
|
|
|
282
|
+
#Only show this section if we were asked to dump RBAC
|
|
283
|
+
if @options.audit_rbac
|
|
284
|
+
@html_report_file.puts "<br><br>"
|
|
285
|
+
@html_report_file.puts "<br><br><h2>Cluster Role Information</h2>"
|
|
286
|
+
@html_report_file.puts "<table><thead><tr><th>Name</th><th>Default?</th><th>Subjects</th><th>Rules</th></tr></thead>"
|
|
287
|
+
@results[@options.target_server][:rbac][:cluster_roles].each do |name, info|
|
|
288
|
+
subjects = ''
|
|
289
|
+
info[:subjects].each do |subject|
|
|
290
|
+
subjects << "#{subject[:kind]}:#{subject[:namespace]}:#{subject[:name]}<br>"
|
|
291
|
+
end
|
|
292
|
+
rules = ''
|
|
293
|
+
info[:rules].each do |rule|
|
|
294
|
+
unless rule.verbs
|
|
295
|
+
rule.verbs = Array.new
|
|
296
|
+
end
|
|
297
|
+
unless rule.apiGroups
|
|
298
|
+
rule.apiGroups = Array.new
|
|
299
|
+
end
|
|
300
|
+
unless rule.resources
|
|
301
|
+
rule.resources = Array.new
|
|
302
|
+
end
|
|
303
|
+
rules << "Verbs : #{rule.verbs.join(', ')}<br>API Groups : #{rule.apiGroups.join(', ')}<br>Resources : #{rule.resources.join(', ')}<br><hr>"
|
|
304
|
+
end
|
|
305
|
+
@html_report_file.puts "<tr><td>#{name}</td><td>#{info[:default]}</td><td>#{subjects}</td><td>#{rules}</td></tr>"
|
|
306
|
+
end
|
|
307
|
+
@html_report_file.puts "</table>"
|
|
308
|
+
@html_report_file.puts "<br><br>"
|
|
309
|
+
end
|
|
310
|
+
|
|
282
311
|
|
|
283
312
|
#Close the master Node Div
|
|
284
313
|
@html_report_file.puts "</table></div>"
|
data/lib/kube_auto_analyzer.rb
CHANGED
|
@@ -3,6 +3,7 @@ module KubeAutoAnalyzer
|
|
|
3
3
|
require "kube_auto_analyzer/version"
|
|
4
4
|
require "kube_auto_analyzer/api_checks/master_node"
|
|
5
5
|
require "kube_auto_analyzer/api_checks/config_dumper"
|
|
6
|
+
require "kube_auto_analyzer/api_checks/rbac_auditor"
|
|
6
7
|
require "kube_auto_analyzer/reporting"
|
|
7
8
|
require "kube_auto_analyzer/agent_checks/file_checks"
|
|
8
9
|
require "kube_auto_analyzer/agent_checks/process_checks"
|
|
@@ -58,6 +59,7 @@ module KubeAutoAnalyzer
|
|
|
58
59
|
end
|
|
59
60
|
@results[@options.target_server] = Hash.new
|
|
60
61
|
@client = Kubeclient::Client.new @options.target_server, 'v1', auth_options: auth_options, ssl_options: ssl_options
|
|
62
|
+
@rbac_client = Kubeclient::Client.new @options.target_server + '/apis/rbac.authorization.k8s.io', 'v1', auth_options: auth_options, ssl_options: ssl_options
|
|
61
63
|
else
|
|
62
64
|
begin
|
|
63
65
|
config = Kubeclient::Config.read(@options.config_file)
|
|
@@ -79,6 +81,14 @@ module KubeAutoAnalyzer
|
|
|
79
81
|
auth_options: context.auth_options
|
|
80
82
|
}
|
|
81
83
|
)
|
|
84
|
+
@rbac_client = Kubeclient::Client.new(
|
|
85
|
+
context.api_endpoint + '/apis/rbac.authorization.k8s.io',
|
|
86
|
+
context.api_version,
|
|
87
|
+
{
|
|
88
|
+
ssl_options: {client_cert: context.ssl_options[:client_cert], client_key: context.ssl_options[:client_key],verify_ssl: OpenSSL::SSL::VERIFY_NONE},
|
|
89
|
+
auth_options: context.auth_options
|
|
90
|
+
}
|
|
91
|
+
)
|
|
82
92
|
else
|
|
83
93
|
@client = Kubeclient::Client.new(
|
|
84
94
|
context.api_endpoint,
|
|
@@ -88,6 +98,14 @@ module KubeAutoAnalyzer
|
|
|
88
98
|
auth_options: context.auth_options
|
|
89
99
|
}
|
|
90
100
|
)
|
|
101
|
+
@rbac_client = Kubeclient::Client.new(
|
|
102
|
+
context.api_endpoint + '/apis/rbac.authorization.k8s.io',
|
|
103
|
+
context.api_version,
|
|
104
|
+
{
|
|
105
|
+
ssl_options: context.ssl_options,
|
|
106
|
+
auth_options: context.auth_options
|
|
107
|
+
}
|
|
108
|
+
)
|
|
91
109
|
end
|
|
92
110
|
#We didn't specify the target on the command line so lets get it from the config file
|
|
93
111
|
@options.target_server = context.api_endpoint
|
|
@@ -121,6 +139,9 @@ module KubeAutoAnalyzer
|
|
|
121
139
|
if @options.dump_config
|
|
122
140
|
dump_config
|
|
123
141
|
end
|
|
142
|
+
if @options.audit_rbac
|
|
143
|
+
audit_rbac
|
|
144
|
+
end
|
|
124
145
|
if @options.html_report
|
|
125
146
|
html_report
|
|
126
147
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_auto_analyzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.15
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rory McCune
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -69,6 +69,7 @@ files:
|
|
|
69
69
|
- lib/kube_auto_analyzer/agent_checks/process_checks.rb
|
|
70
70
|
- lib/kube_auto_analyzer/api_checks/config_dumper.rb
|
|
71
71
|
- lib/kube_auto_analyzer/api_checks/master_node.rb
|
|
72
|
+
- lib/kube_auto_analyzer/api_checks/rbac_auditor.rb
|
|
72
73
|
- lib/kube_auto_analyzer/data-logo.b64
|
|
73
74
|
- lib/kube_auto_analyzer/js_files/chartkick.js
|
|
74
75
|
- lib/kube_auto_analyzer/js_files/highcharts.js
|