kube_auto_analyzer 0.0.14 → 0.0.15
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3821dec919c2353aae2223cc7650ddbe2c433a600f4c985423a5e3b42290ce06
|
|
4
|
+
data.tar.gz: 6252e63c3a26e503a2074990c8ad0a791634b742d898fded95311714e23ebaf6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 60780447ef3aa3769590660344d0f64fe6b8459ba5790c3b302bd929a39b5b0477e50c491cf7a7f3af8eadc5a3812718e12b0b027d1ef19df1161ce977dc7df3
|
|
7
|
+
data.tar.gz: b525c4f4862b6cedae986dce2249f9cab86dd549383a565da548c6aada26ce9424e3e9b052b4ea6e0c1240aac176a5c4c7d3293254059cd4afd48149eb88379f
|
data/bin/kubeautoanalyzer
CHANGED
|
@@ -18,6 +18,7 @@
|
|
|
18
18
|
options.context = false
|
|
19
19
|
options.nosslverify = false
|
|
20
20
|
options.dump_config = false
|
|
21
|
+
options.audit_rbac = false
|
|
21
22
|
|
|
22
23
|
opts = OptionParser.new do |opts|
|
|
23
24
|
opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
|
|
@@ -37,6 +38,10 @@
|
|
|
37
38
|
options.context = context
|
|
38
39
|
end
|
|
39
40
|
|
|
41
|
+
opts.on("--rbac", "Audit RBAC") do |rbac|
|
|
42
|
+
options.audit_rbac = true
|
|
43
|
+
end
|
|
44
|
+
|
|
40
45
|
opts.on("--nosslverify [NOVERIFY]", "disable SSL verification") do |noverify|
|
|
41
46
|
options.nosslverify = true
|
|
42
47
|
end
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
module KubeAutoAnalyzer
|
|
2
|
+
def self.audit_rbac
|
|
3
|
+
@log.debug("Entering the RBAC Auditor")
|
|
4
|
+
target = @options.target_server
|
|
5
|
+
@log.debug("Auditing RBAC on #{target}")
|
|
6
|
+
@results[target][:rbac] = Hash.new
|
|
7
|
+
cluster_roles = @rbac_client.get_cluster_roles
|
|
8
|
+
@log.debug("got #{cluster_roles.length.to_s} cluster roles")
|
|
9
|
+
cluster_role_bindings = @rbac_client.get_cluster_role_bindings
|
|
10
|
+
@log.debug("got #{cluster_role_bindings.length.to_s} cluster role bindings")
|
|
11
|
+
@results[target][:rbac][:cluster_roles] = Hash.new
|
|
12
|
+
cluster_roles.each do |role|
|
|
13
|
+
role_output = Hash.new
|
|
14
|
+
role_output[:rules] = role.rules
|
|
15
|
+
|
|
16
|
+
@log.debug("metadata in #{role.metadata[:name]} , #{role.metadata}")
|
|
17
|
+
begin
|
|
18
|
+
if role.metadata[:labels]['kubernetes.io/bootstrapping'] == "rbac-defaults"
|
|
19
|
+
role_output[:default] = true
|
|
20
|
+
else
|
|
21
|
+
role_output[:default] = false
|
|
22
|
+
end
|
|
23
|
+
rescue NoMethodError
|
|
24
|
+
#If there's no method, it can't be a default...
|
|
25
|
+
role_output[:default] = false
|
|
26
|
+
end
|
|
27
|
+
role_output[:subjects] = Array.new
|
|
28
|
+
cluster_role_bindings.each do |binding|
|
|
29
|
+
#So we're testing if the binding has any subjects and if so whether they apply to this role or not
|
|
30
|
+
if binding.subjects
|
|
31
|
+
@log.debug("#{binding.roleRef[:name]} binding has #{binding.subjects.length.to_s} bindings")
|
|
32
|
+
else
|
|
33
|
+
@log.debug("#{binding.roleRef[:name]} has no subjects")
|
|
34
|
+
end
|
|
35
|
+
@log.debug(binding.roleRef[:kind] + ", " + role.metadata[:name] + ", " + binding.roleRef[:name] + ", " + (binding.subjects ? binding.subjects.length.to_s : "0") )
|
|
36
|
+
if binding.roleRef[:kind] == "ClusterRole"
|
|
37
|
+
@log.debug("Matched the cluster role")
|
|
38
|
+
if binding.roleRef[:name] == role.metadata[:name]
|
|
39
|
+
@log.debug("matched the role name")
|
|
40
|
+
if binding.subjects
|
|
41
|
+
binding.subjects.each do |subject|
|
|
42
|
+
@log.debug("added a subject to the list")
|
|
43
|
+
role_output[:subjects] << subject
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
@results[target][:rbac][:cluster_roles][role.metadata[:name]] = role_output
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
end
|
|
@@ -279,6 +279,35 @@ module KubeAutoAnalyzer
|
|
|
279
279
|
@html_report_file.puts "<br><br>"
|
|
280
280
|
end
|
|
281
281
|
|
|
282
|
+
#Only show this section if we were asked to dump RBAC
|
|
283
|
+
if @options.audit_rbac
|
|
284
|
+
@html_report_file.puts "<br><br>"
|
|
285
|
+
@html_report_file.puts "<br><br><h2>Cluster Role Information</h2>"
|
|
286
|
+
@html_report_file.puts "<table><thead><tr><th>Name</th><th>Default?</th><th>Subjects</th><th>Rules</th></tr></thead>"
|
|
287
|
+
@results[@options.target_server][:rbac][:cluster_roles].each do |name, info|
|
|
288
|
+
subjects = ''
|
|
289
|
+
info[:subjects].each do |subject|
|
|
290
|
+
subjects << "#{subject[:kind]}:#{subject[:namespace]}:#{subject[:name]}<br>"
|
|
291
|
+
end
|
|
292
|
+
rules = ''
|
|
293
|
+
info[:rules].each do |rule|
|
|
294
|
+
unless rule.verbs
|
|
295
|
+
rule.verbs = Array.new
|
|
296
|
+
end
|
|
297
|
+
unless rule.apiGroups
|
|
298
|
+
rule.apiGroups = Array.new
|
|
299
|
+
end
|
|
300
|
+
unless rule.resources
|
|
301
|
+
rule.resources = Array.new
|
|
302
|
+
end
|
|
303
|
+
rules << "Verbs : #{rule.verbs.join(', ')}<br>API Groups : #{rule.apiGroups.join(', ')}<br>Resources : #{rule.resources.join(', ')}<br><hr>"
|
|
304
|
+
end
|
|
305
|
+
@html_report_file.puts "<tr><td>#{name}</td><td>#{info[:default]}</td><td>#{subjects}</td><td>#{rules}</td></tr>"
|
|
306
|
+
end
|
|
307
|
+
@html_report_file.puts "</table>"
|
|
308
|
+
@html_report_file.puts "<br><br>"
|
|
309
|
+
end
|
|
310
|
+
|
|
282
311
|
|
|
283
312
|
#Close the master Node Div
|
|
284
313
|
@html_report_file.puts "</table></div>"
|
data/lib/kube_auto_analyzer.rb
CHANGED
|
@@ -3,6 +3,7 @@ module KubeAutoAnalyzer
|
|
|
3
3
|
require "kube_auto_analyzer/version"
|
|
4
4
|
require "kube_auto_analyzer/api_checks/master_node"
|
|
5
5
|
require "kube_auto_analyzer/api_checks/config_dumper"
|
|
6
|
+
require "kube_auto_analyzer/api_checks/rbac_auditor"
|
|
6
7
|
require "kube_auto_analyzer/reporting"
|
|
7
8
|
require "kube_auto_analyzer/agent_checks/file_checks"
|
|
8
9
|
require "kube_auto_analyzer/agent_checks/process_checks"
|
|
@@ -58,6 +59,7 @@ module KubeAutoAnalyzer
|
|
|
58
59
|
end
|
|
59
60
|
@results[@options.target_server] = Hash.new
|
|
60
61
|
@client = Kubeclient::Client.new @options.target_server, 'v1', auth_options: auth_options, ssl_options: ssl_options
|
|
62
|
+
@rbac_client = Kubeclient::Client.new @options.target_server + '/apis/rbac.authorization.k8s.io', 'v1', auth_options: auth_options, ssl_options: ssl_options
|
|
61
63
|
else
|
|
62
64
|
begin
|
|
63
65
|
config = Kubeclient::Config.read(@options.config_file)
|
|
@@ -79,6 +81,14 @@ module KubeAutoAnalyzer
|
|
|
79
81
|
auth_options: context.auth_options
|
|
80
82
|
}
|
|
81
83
|
)
|
|
84
|
+
@rbac_client = Kubeclient::Client.new(
|
|
85
|
+
context.api_endpoint + '/apis/rbac.authorization.k8s.io',
|
|
86
|
+
context.api_version,
|
|
87
|
+
{
|
|
88
|
+
ssl_options: {client_cert: context.ssl_options[:client_cert], client_key: context.ssl_options[:client_key],verify_ssl: OpenSSL::SSL::VERIFY_NONE},
|
|
89
|
+
auth_options: context.auth_options
|
|
90
|
+
}
|
|
91
|
+
)
|
|
82
92
|
else
|
|
83
93
|
@client = Kubeclient::Client.new(
|
|
84
94
|
context.api_endpoint,
|
|
@@ -88,6 +98,14 @@ module KubeAutoAnalyzer
|
|
|
88
98
|
auth_options: context.auth_options
|
|
89
99
|
}
|
|
90
100
|
)
|
|
101
|
+
@rbac_client = Kubeclient::Client.new(
|
|
102
|
+
context.api_endpoint + '/apis/rbac.authorization.k8s.io',
|
|
103
|
+
context.api_version,
|
|
104
|
+
{
|
|
105
|
+
ssl_options: context.ssl_options,
|
|
106
|
+
auth_options: context.auth_options
|
|
107
|
+
}
|
|
108
|
+
)
|
|
91
109
|
end
|
|
92
110
|
#We didn't specify the target on the command line so lets get it from the config file
|
|
93
111
|
@options.target_server = context.api_endpoint
|
|
@@ -121,6 +139,9 @@ module KubeAutoAnalyzer
|
|
|
121
139
|
if @options.dump_config
|
|
122
140
|
dump_config
|
|
123
141
|
end
|
|
142
|
+
if @options.audit_rbac
|
|
143
|
+
audit_rbac
|
|
144
|
+
end
|
|
124
145
|
if @options.html_report
|
|
125
146
|
html_report
|
|
126
147
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: kube_auto_analyzer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.15
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Rory McCune
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-06-
|
|
11
|
+
date: 2018-06-17 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -69,6 +69,7 @@ files:
|
|
|
69
69
|
- lib/kube_auto_analyzer/agent_checks/process_checks.rb
|
|
70
70
|
- lib/kube_auto_analyzer/api_checks/config_dumper.rb
|
|
71
71
|
- lib/kube_auto_analyzer/api_checks/master_node.rb
|
|
72
|
+
- lib/kube_auto_analyzer/api_checks/rbac_auditor.rb
|
|
72
73
|
- lib/kube_auto_analyzer/data-logo.b64
|
|
73
74
|
- lib/kube_auto_analyzer/js_files/chartkick.js
|
|
74
75
|
- lib/kube_auto_analyzer/js_files/highcharts.js
|