kube_auto_analyzer 0.0.14 → 0.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 6942a3c49b753679c8a0e5f3822792ef6ff48eb9d4e053ef912f71e27a445fa2
4
- data.tar.gz: 0a7721a4baf81d4655c76d264cc2a2a62358b9f4a1129441e8c9ae3bb6d1a42a
3
+ metadata.gz: 3821dec919c2353aae2223cc7650ddbe2c433a600f4c985423a5e3b42290ce06
4
+ data.tar.gz: 6252e63c3a26e503a2074990c8ad0a791634b742d898fded95311714e23ebaf6
5
5
  SHA512:
6
- metadata.gz: 304c20becfe0d4b891577ff79450b6160f66d9472b572ffc64c8ea9f60854cb687e4c447e9931936a53fbc54cc307256d3b73e656334f0a8a8e2c08f017def80
7
- data.tar.gz: ec5669b731a1835a6dbde5a259b2f90a6ab418152dde5778a74d2c2024fa136f7249c52a1975629c6ca9047a300dee9759b6163759c2c9fd318fc37bde7f5531
6
+ metadata.gz: 60780447ef3aa3769590660344d0f64fe6b8459ba5790c3b302bd929a39b5b0477e50c491cf7a7f3af8eadc5a3812718e12b0b027d1ef19df1161ce977dc7df3
7
+ data.tar.gz: b525c4f4862b6cedae986dce2249f9cab86dd549383a565da548c6aada26ce9424e3e9b052b4ea6e0c1240aac176a5c4c7d3293254059cd4afd48149eb88379f
data/bin/kubeautoanalyzer CHANGED
@@ -18,6 +18,7 @@
18
18
  options.context = false
19
19
  options.nosslverify = false
20
20
  options.dump_config = false
21
+ options.audit_rbac = false
21
22
 
22
23
  opts = OptionParser.new do |opts|
23
24
  opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
@@ -37,6 +38,10 @@
37
38
  options.context = context
38
39
  end
39
40
 
41
+ opts.on("--rbac", "Audit RBAC") do |rbac|
42
+ options.audit_rbac = true
43
+ end
44
+
40
45
  opts.on("--nosslverify [NOVERIFY]", "disable SSL verification") do |noverify|
41
46
  options.nosslverify = true
42
47
  end
@@ -0,0 +1,52 @@
1
+ module KubeAutoAnalyzer
2
+ def self.audit_rbac
3
+ @log.debug("Entering the RBAC Auditor")
4
+ target = @options.target_server
5
+ @log.debug("Auditing RBAC on #{target}")
6
+ @results[target][:rbac] = Hash.new
7
+ cluster_roles = @rbac_client.get_cluster_roles
8
+ @log.debug("got #{cluster_roles.length.to_s} cluster roles")
9
+ cluster_role_bindings = @rbac_client.get_cluster_role_bindings
10
+ @log.debug("got #{cluster_role_bindings.length.to_s} cluster role bindings")
11
+ @results[target][:rbac][:cluster_roles] = Hash.new
12
+ cluster_roles.each do |role|
13
+ role_output = Hash.new
14
+ role_output[:rules] = role.rules
15
+
16
+ @log.debug("metadata in #{role.metadata[:name]} , #{role.metadata}")
17
+ begin
18
+ if role.metadata[:labels]['kubernetes.io/bootstrapping'] == "rbac-defaults"
19
+ role_output[:default] = true
20
+ else
21
+ role_output[:default] = false
22
+ end
23
+ rescue NoMethodError
24
+ #If there's no method, it can't be a default...
25
+ role_output[:default] = false
26
+ end
27
+ role_output[:subjects] = Array.new
28
+ cluster_role_bindings.each do |binding|
29
+ #So we're testing if the binding has any subjects and if so whether they apply to this role or not
30
+ if binding.subjects
31
+ @log.debug("#{binding.roleRef[:name]} binding has #{binding.subjects.length.to_s} bindings")
32
+ else
33
+ @log.debug("#{binding.roleRef[:name]} has no subjects")
34
+ end
35
+ @log.debug(binding.roleRef[:kind] + ", " + role.metadata[:name] + ", " + binding.roleRef[:name] + ", " + (binding.subjects ? binding.subjects.length.to_s : "0") )
36
+ if binding.roleRef[:kind] == "ClusterRole"
37
+ @log.debug("Matched the cluster role")
38
+ if binding.roleRef[:name] == role.metadata[:name]
39
+ @log.debug("matched the role name")
40
+ if binding.subjects
41
+ binding.subjects.each do |subject|
42
+ @log.debug("added a subject to the list")
43
+ role_output[:subjects] << subject
44
+ end
45
+ end
46
+ end
47
+ end
48
+ end
49
+ @results[target][:rbac][:cluster_roles][role.metadata[:name]] = role_output
50
+ end
51
+ end
52
+ end
@@ -279,6 +279,35 @@ module KubeAutoAnalyzer
279
279
  @html_report_file.puts "<br><br>"
280
280
  end
281
281
 
282
+ #Only show this section if we were asked to dump RBAC
283
+ if @options.audit_rbac
284
+ @html_report_file.puts "<br><br>"
285
+ @html_report_file.puts "<br><br><h2>Cluster Role Information</h2>"
286
+ @html_report_file.puts "<table><thead><tr><th>Name</th><th>Default?</th><th>Subjects</th><th>Rules</th></tr></thead>"
287
+ @results[@options.target_server][:rbac][:cluster_roles].each do |name, info|
288
+ subjects = ''
289
+ info[:subjects].each do |subject|
290
+ subjects << "#{subject[:kind]}:#{subject[:namespace]}:#{subject[:name]}<br>"
291
+ end
292
+ rules = ''
293
+ info[:rules].each do |rule|
294
+ unless rule.verbs
295
+ rule.verbs = Array.new
296
+ end
297
+ unless rule.apiGroups
298
+ rule.apiGroups = Array.new
299
+ end
300
+ unless rule.resources
301
+ rule.resources = Array.new
302
+ end
303
+ rules << "Verbs : #{rule.verbs.join(', ')}<br>API Groups : #{rule.apiGroups.join(', ')}<br>Resources : #{rule.resources.join(', ')}<br><hr>"
304
+ end
305
+ @html_report_file.puts "<tr><td>#{name}</td><td>#{info[:default]}</td><td>#{subjects}</td><td>#{rules}</td></tr>"
306
+ end
307
+ @html_report_file.puts "</table>"
308
+ @html_report_file.puts "<br><br>"
309
+ end
310
+
282
311
 
283
312
  #Close the master Node Div
284
313
  @html_report_file.puts "</table></div>"
@@ -1,3 +1,3 @@
1
1
  module KubeAutoAnalyzer
2
- VERSION = "0.0.14"
2
+ VERSION = "0.0.15"
3
3
  end
@@ -3,6 +3,7 @@ module KubeAutoAnalyzer
3
3
  require "kube_auto_analyzer/version"
4
4
  require "kube_auto_analyzer/api_checks/master_node"
5
5
  require "kube_auto_analyzer/api_checks/config_dumper"
6
+ require "kube_auto_analyzer/api_checks/rbac_auditor"
6
7
  require "kube_auto_analyzer/reporting"
7
8
  require "kube_auto_analyzer/agent_checks/file_checks"
8
9
  require "kube_auto_analyzer/agent_checks/process_checks"
@@ -58,6 +59,7 @@ module KubeAutoAnalyzer
58
59
  end
59
60
  @results[@options.target_server] = Hash.new
60
61
  @client = Kubeclient::Client.new @options.target_server, 'v1', auth_options: auth_options, ssl_options: ssl_options
62
+ @rbac_client = Kubeclient::Client.new @options.target_server + '/apis/rbac.authorization.k8s.io', 'v1', auth_options: auth_options, ssl_options: ssl_options
61
63
  else
62
64
  begin
63
65
  config = Kubeclient::Config.read(@options.config_file)
@@ -79,6 +81,14 @@ module KubeAutoAnalyzer
79
81
  auth_options: context.auth_options
80
82
  }
81
83
  )
84
+ @rbac_client = Kubeclient::Client.new(
85
+ context.api_endpoint + '/apis/rbac.authorization.k8s.io',
86
+ context.api_version,
87
+ {
88
+ ssl_options: {client_cert: context.ssl_options[:client_cert], client_key: context.ssl_options[:client_key],verify_ssl: OpenSSL::SSL::VERIFY_NONE},
89
+ auth_options: context.auth_options
90
+ }
91
+ )
82
92
  else
83
93
  @client = Kubeclient::Client.new(
84
94
  context.api_endpoint,
@@ -88,6 +98,14 @@ module KubeAutoAnalyzer
88
98
  auth_options: context.auth_options
89
99
  }
90
100
  )
101
+ @rbac_client = Kubeclient::Client.new(
102
+ context.api_endpoint + '/apis/rbac.authorization.k8s.io',
103
+ context.api_version,
104
+ {
105
+ ssl_options: context.ssl_options,
106
+ auth_options: context.auth_options
107
+ }
108
+ )
91
109
  end
92
110
  #We didn't specify the target on the command line so lets get it from the config file
93
111
  @options.target_server = context.api_endpoint
@@ -121,6 +139,9 @@ module KubeAutoAnalyzer
121
139
  if @options.dump_config
122
140
  dump_config
123
141
  end
142
+ if @options.audit_rbac
143
+ audit_rbac
144
+ end
124
145
  if @options.html_report
125
146
  html_report
126
147
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kube_auto_analyzer
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.14
4
+ version: 0.0.15
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rory McCune
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-12 00:00:00.000000000 Z
11
+ date: 2018-06-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -69,6 +69,7 @@ files:
69
69
  - lib/kube_auto_analyzer/agent_checks/process_checks.rb
70
70
  - lib/kube_auto_analyzer/api_checks/config_dumper.rb
71
71
  - lib/kube_auto_analyzer/api_checks/master_node.rb
72
+ - lib/kube_auto_analyzer/api_checks/rbac_auditor.rb
72
73
  - lib/kube_auto_analyzer/data-logo.b64
73
74
  - lib/kube_auto_analyzer/js_files/chartkick.js
74
75
  - lib/kube_auto_analyzer/js_files/highcharts.js