kube_auto_analyzer 0.0.13 → 0.0.14
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: 6942a3c49b753679c8a0e5f3822792ef6ff48eb9d4e053ef912f71e27a445fa2
|
|
4
|
+
data.tar.gz: 0a7721a4baf81d4655c76d264cc2a2a62358b9f4a1129441e8c9ae3bb6d1a42a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 304c20becfe0d4b891577ff79450b6160f66d9472b572ffc64c8ea9f60854cb687e4c447e9931936a53fbc54cc307256d3b73e656334f0a8a8e2c08f017def80
|
|
7
|
+
data.tar.gz: ec5669b731a1835a6dbde5a259b2f90a6ab418152dde5778a74d2c2024fa136f7249c52a1975629c6ca9047a300dee9759b6163759c2c9fd318fc37bde7f5531
|
data/bin/kubeautoanalyzer
CHANGED
|
@@ -17,6 +17,7 @@
|
|
|
17
17
|
options.insecure = false
|
|
18
18
|
options.context = false
|
|
19
19
|
options.nosslverify = false
|
|
20
|
+
options.dump_config = false
|
|
20
21
|
|
|
21
22
|
opts = OptionParser.new do |opts|
|
|
22
23
|
opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
|
|
@@ -28,6 +29,10 @@
|
|
|
28
29
|
options.config_file = file
|
|
29
30
|
end
|
|
30
31
|
|
|
32
|
+
opts.on("-d", "--dump [DUMP]", "Dump cluster config into report") do |dump|
|
|
33
|
+
options.dump_config = true
|
|
34
|
+
end
|
|
35
|
+
|
|
31
36
|
opts.on("--context [CONTEXT]", "context to use from kubeconfig") do |context|
|
|
32
37
|
options.context = context
|
|
33
38
|
end
|
data/lib/kube_auto_analyzer.rb
CHANGED
|
@@ -2,6 +2,7 @@ module KubeAutoAnalyzer
|
|
|
2
2
|
attr_accessor :execute
|
|
3
3
|
require "kube_auto_analyzer/version"
|
|
4
4
|
require "kube_auto_analyzer/api_checks/master_node"
|
|
5
|
+
require "kube_auto_analyzer/api_checks/config_dumper"
|
|
5
6
|
require "kube_auto_analyzer/reporting"
|
|
6
7
|
require "kube_auto_analyzer/agent_checks/file_checks"
|
|
7
8
|
require "kube_auto_analyzer/agent_checks/process_checks"
|
|
@@ -117,6 +118,9 @@ module KubeAutoAnalyzer
|
|
|
117
118
|
check_kubelet_process
|
|
118
119
|
check_amicontained
|
|
119
120
|
end
|
|
121
|
+
if @options.dump_config
|
|
122
|
+
dump_config
|
|
123
|
+
end
|
|
120
124
|
if @options.html_report
|
|
121
125
|
html_report
|
|
122
126
|
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module KubeAutoAnalyzer
|
|
2
|
+
def self.dump_config
|
|
3
|
+
@log.debug("Entering the config dumper module")
|
|
4
|
+
target = @options.target_server
|
|
5
|
+
@log.debug("dumping the config for #{target}")
|
|
6
|
+
@results[target][:config] = Hash.new
|
|
7
|
+
pods = @client.get_pods
|
|
8
|
+
docker_images = Array.new
|
|
9
|
+
#Specific requirement here in that it's useful to know what Docker images are in use on the cluster.
|
|
10
|
+
pods.each do |pod|
|
|
11
|
+
docker_images << pod.status[:containerStatuses][0][:image]
|
|
12
|
+
end
|
|
13
|
+
@log.debug("logged #{docker_images.length} docker images")
|
|
14
|
+
@results[target][:config][:docker_images] = docker_images.uniq
|
|
15
|
+
|
|
16
|
+
@results[target][:config][:pod_info] = Array.new
|
|
17
|
+
|
|
18
|
+
#Lets record some information about each pod
|
|
19
|
+
pods.each do |pod|
|
|
20
|
+
currpod = Hash.new
|
|
21
|
+
currpod[:name] = pod.metadata[:name]
|
|
22
|
+
currpod[:namespace] = pod.metadata[:namespace]
|
|
23
|
+
currpod[:service_account] = pod.spec[:serviceAccount]
|
|
24
|
+
currpod[:host_ip] = pod[:status][:hostIP]
|
|
25
|
+
currpod[:pod_ip] = pod[:status][:podIP]
|
|
26
|
+
@results[target][:config][:pod_info] << currpod
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -259,6 +259,27 @@ module KubeAutoAnalyzer
|
|
|
259
259
|
@results[@options.target_server]['evidence'].each do |area, output|
|
|
260
260
|
@html_report_file.puts "<tr><td>#{area}</td><td>#{output}</td></tr>"
|
|
261
261
|
end
|
|
262
|
+
@html_report_file.puts "</table>"
|
|
263
|
+
|
|
264
|
+
#Only show this section if we were asked to dump the config
|
|
265
|
+
if @options.dump_config
|
|
266
|
+
@html_report_file.puts "<br><br>"
|
|
267
|
+
@html_report_file.puts "<br><br><h2>Cluster Config Information</h2>"
|
|
268
|
+
@html_report_file.puts "<table><thead><tr><th>Docker Images In Use</th></tr></thead>"
|
|
269
|
+
@results[@options.target_server][:config][:docker_images].each do |image|
|
|
270
|
+
@html_report_file.puts "<tr><td>#{image}</td></tr>"
|
|
271
|
+
end
|
|
272
|
+
@html_report_file.puts "</table>"
|
|
273
|
+
@html_report_file.puts "<br><br>"
|
|
274
|
+
@html_report_file.puts "<table><thead><tr><th>Pod Name</th><th>Namespace</th><th>Service Account</th><th>Host IP</th><th>Pod IP</th></tr></thead>"
|
|
275
|
+
@results[@options.target_server][:config][:pod_info].each do |pod|
|
|
276
|
+
@html_report_file.puts "<tr><td>#{pod[:name]}</td><td>#{pod[:namespace]}</td><td>#{pod[:service_account]}</td><td>#{pod[:host_ip]}</td><td>#{pod[:pod_ip]}</td></tr>"
|
|
277
|
+
end
|
|
278
|
+
@html_report_file.puts "</table>"
|
|
279
|
+
@html_report_file.puts "<br><br>"
|
|
280
|
+
end
|
|
281
|
+
|
|
282
|
+
|
|
262
283
|
#Close the master Node Div
|
|
263
284
|
@html_report_file.puts "</table></div>"
|
|
264
285
|
if @options.agent_checks
|
|
@@ -331,7 +352,7 @@ module KubeAutoAnalyzer
|
|
|
331
352
|
@html_report_file.puts '<br><h3>External Unauthenticated Access to the Kubelet</h3>'
|
|
332
353
|
@html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
|
|
333
354
|
@results[@options.target_server]['vulns']['unauth_kubelet'].each do |node, result|
|
|
334
|
-
unless (result =~ /Forbidden/ || result =~ /Not Open/)
|
|
355
|
+
unless (result =~ /Forbidden/ || result =~ /Not Open/ || result =~ /Unauthorized/)
|
|
335
356
|
output = "Vulnerable"
|
|
336
357
|
else
|
|
337
358
|
output = result
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_auto_analyzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.14
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rory McCune
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -67,6 +67,7 @@ files:
|
|
|
67
67
|
- lib/kube_auto_analyzer.rb
|
|
68
68
|
- lib/kube_auto_analyzer/agent_checks/file_checks.rb
|
|
69
69
|
- lib/kube_auto_analyzer/agent_checks/process_checks.rb
|
|
70
|
+
- lib/kube_auto_analyzer/api_checks/config_dumper.rb
|
|
70
71
|
- lib/kube_auto_analyzer/api_checks/master_node.rb
|
|
71
72
|
- lib/kube_auto_analyzer/data-logo.b64
|
|
72
73
|
- lib/kube_auto_analyzer/js_files/chartkick.js
|
|
@@ -99,7 +100,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
99
100
|
version: '0'
|
|
100
101
|
requirements: []
|
|
101
102
|
rubyforge_project:
|
|
102
|
-
rubygems_version: 2.
|
|
103
|
+
rubygems_version: 2.7.7
|
|
103
104
|
signing_key:
|
|
104
105
|
specification_version: 4
|
|
105
106
|
summary: A Gem which provides a script and class analyze the security of a Kubernetes
|