kube_auto_analyzer 0.0.15 → 0.0.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3821dec919c2353aae2223cc7650ddbe2c433a600f4c985423a5e3b42290ce06
-  data.tar.gz: 6252e63c3a26e503a2074990c8ad0a791634b742d898fded95311714e23ebaf6
+  metadata.gz: c660dfe01e6def5a3b1dd095f7adaabb69d008969cc74a324cdfd70dc0dcf6b0
+  data.tar.gz: 53caa82754a21d6f5f999edb74c9220581b19a2d8eaf3fa9c33614506dd0cbfc
 SHA512:
-  metadata.gz: 60780447ef3aa3769590660344d0f64fe6b8459ba5790c3b302bd929a39b5b0477e50c491cf7a7f3af8eadc5a3812718e12b0b027d1ef19df1161ce977dc7df3
-  data.tar.gz: b525c4f4862b6cedae986dce2249f9cab86dd549383a565da548c6aada26ce9424e3e9b052b4ea6e0c1240aac176a5c4c7d3293254059cd4afd48149eb88379f
+  metadata.gz: cbb9fb819e5bc084e46f02326984968117a0b735aeac4e0f2719990f80214510f3faeaccc5c634fbf22397d7c4f831d80de23deb075bdecd9199e63bc1c6351b
+  data.tar.gz: 5aada0ec4b8d64e05b665c105faef30502c34bfcc7d2902a10624fd8abb5d429faa985ca278a26e8c7bc1db2991b5aafdf731ae245c1f38129f53bff870564ba

data/lib/kube_auto_analyzer/api_checks/config_dumper.rb

@@ -5,6 +5,7 @@ module KubeAutoAnalyzer
   @log.debug("dumping the config for #{target}")
   @results[target][:config] = Hash.new
   pods = @client.get_pods
+  services = @client.get_services
   docker_images = Array.new
   #Specific requirement here in that it's useful to know what Docker images are in use on the cluster.
   pods.each do |pod|
@@ -26,5 +27,28 @@ module KubeAutoAnalyzer
     @results[target][:config][:pod_info] << currpod
   end
 
+  @results[target][:config][:service_info] = Array.new
+
+  services.each do |service|
+    currserv = Hash.new
+    currserv[:name] = service.metadata[:name]
+    currserv[:cluster_ip] = service.spec[:clusterIP]
+    if service.spec[:externalIP]
+      currserv[:external_ip] = service.spec[:externalIP]
+    else
+      currserv[:external_ip] = "None"
+    end
+    if service.spec[:ports]
+      currserv[:ports] = Array.new
+      service.spec[:ports].each do |port|
+        currserv[:ports] << "#{port[:port]}/#{port[:protocol]}:#{port[:targetPort]}/#{port[:protocol]}"
+      end
+    else
+      currserv[:ports] = "None"
+    end
+    @results[target][:config][:service_info] << currserv
+  end
+
+
  end
 end

data/lib/kube_auto_analyzer/reporting.rb

@@ -188,129 +188,10 @@ module KubeAutoAnalyzer
       @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
     end
     @html_report_file.puts "</table>"
-
-    #Show what cluster authentication modes are supported.
-    @html_report_file.puts "<br><br>"
-    @html_report_file.puts "<br><br><h2>Kubernetes Authentication Options</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Authentication Option</th><th>Enabled?</th></tr></thead>"
-    if @results[@options.target_server]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] == "Fail"
-      @html_report_file.puts "<tr><td>Basic Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Basic Authentication</td><td>Disabled</td></tr>"
-    end
-    if @results[@options.target_server]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] == "Fail"
-      @html_report_file.puts "<tr><td>Token Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Token Authentication</td><td>Disabled</td></tr>"
-    end
-    if @results[@options.target_server]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] == "Pass"
-      @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Disabled</td></tr>"
-    end
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--oidc-issuer-url/}
-      @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Disabled</td></tr>"
-    end
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authentication-token-webhook-config-file/}
-      @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Disabled</td></tr>"
-    end
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--requestheader-username-headers/}
-      @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Disabled</td></tr>"
-    end
-
-    @html_report_file.puts "</table>"
-
-    #Show what cluster authorization modes are supported.
-    @html_report_file.puts "<br><br>"
-    @html_report_file.puts "<br><br><h2>Kubernetes Authorization Options</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Authorization Option</th><th>Enabled?</th></tr></thead>"
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*RBAC/}
-      @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Disabled</td></tr>"
-    end
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*ABAC/}
-      @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Disabled</td></tr>"
-    end
-
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*Webhook/}
-      @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Enabled</td></tr>"
-    else
-      @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Disabled</td></tr>"
-    end
-
-    @html_report_file.puts "</table>"    
-
-    @html_report_file.puts "<br><br><h2>Evidence</h2><br>"
-    @html_report_file.puts "<table><thead><tr><th>Area</th><th>Output</th></tr></thead>"
-    @results[@options.target_server]['evidence'].each do |area, output|
-      @html_report_file.puts "<tr><td>#{area}</td><td>#{output}</td></tr>"
-    end
-    @html_report_file.puts "</table>"  
-
-    #Only show this section if we were asked to dump the config
-    if @options.dump_config
-      @html_report_file.puts "<br><br>"
-      @html_report_file.puts "<br><br><h2>Cluster Config Information</h2>"
-      @html_report_file.puts "<table><thead><tr><th>Docker Images In Use</th></tr></thead>"
-      @results[@options.target_server][:config][:docker_images].each do |image|
-        @html_report_file.puts "<tr><td>#{image}</td></tr>"
-      end
-      @html_report_file.puts "</table>"
-      @html_report_file.puts "<br><br>"
-      @html_report_file.puts "<table><thead><tr><th>Pod Name</th><th>Namespace</th><th>Service Account</th><th>Host IP</th><th>Pod IP</th></tr></thead>"
-      @results[@options.target_server][:config][:pod_info].each do |pod|
-        @html_report_file.puts "<tr><td>#{pod[:name]}</td><td>#{pod[:namespace]}</td><td>#{pod[:service_account]}</td><td>#{pod[:host_ip]}</td><td>#{pod[:pod_ip]}</td></tr>"
-      end
-      @html_report_file.puts "</table>"
-      @html_report_file.puts "<br><br>"
-    end
-
-    #Only show this section if we were asked to dump RBAC
-    if @options.audit_rbac
-      @html_report_file.puts "<br><br>"
-      @html_report_file.puts "<br><br><h2>Cluster Role Information</h2>"
-      @html_report_file.puts "<table><thead><tr><th>Name</th><th>Default?</th><th>Subjects</th><th>Rules</th></tr></thead>"
-      @results[@options.target_server][:rbac][:cluster_roles].each do |name, info|
-        subjects = ''
-        info[:subjects].each do |subject|
-          subjects << "#{subject[:kind]}:#{subject[:namespace]}:#{subject[:name]}<br>"
-        end
-        rules = ''
-        info[:rules].each do |rule|
-          unless rule.verbs
-            rule.verbs = Array.new
-          end
-          unless rule.apiGroups
-            rule.apiGroups = Array.new
-          end
-          unless rule.resources
-            rule.resources = Array.new
-          end
-          rules << "Verbs : #{rule.verbs.join(', ')}<br>API Groups : #{rule.apiGroups.join(', ')}<br>Resources : #{rule.resources.join(', ')}<br><hr>"
-        end
-        @html_report_file.puts "<tr><td>#{name}</td><td>#{info[:default]}</td><td>#{subjects}</td><td>#{rules}</td></tr>"
-      end
-      @html_report_file.puts "</table>"
-      @html_report_file.puts "<br><br>"
-    end
-
-
     #Close the master Node Div
     @html_report_file.puts "</table></div>"
+
+
     if @options.agent_checks
       @html_report_file.puts '<br><br><div class="worker-node"><h2>Worker Node Results</h2>'
 
@@ -493,6 +374,132 @@ module KubeAutoAnalyzer
 
     @html_report_file.puts "</table>"
 
+    #Show what cluster authentication modes are supported.
+    @html_report_file.puts "<br><br><h1>Kubernetes Cluster Information</h1>"
+    @html_report_file.puts "<br><br><h2>Kubernetes Authentication Options</h2>"
+    @html_report_file.puts "<table><thead><tr><th>Authentication Option</th><th>Enabled?</th></tr></thead>"
+    if @results[@options.target_server]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] == "Fail"
+      @html_report_file.puts "<tr><td>Basic Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Basic Authentication</td><td>Disabled</td></tr>"
+    end
+    if @results[@options.target_server]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] == "Fail"
+      @html_report_file.puts "<tr><td>Token Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Token Authentication</td><td>Disabled</td></tr>"
+    end
+    if @results[@options.target_server]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] == "Pass"
+      @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Disabled</td></tr>"
+    end
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--oidc-issuer-url/}
+      @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Disabled</td></tr>"
+    end
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authentication-token-webhook-config-file/}
+      @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Disabled</td></tr>"
+    end
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--requestheader-username-headers/}
+      @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Disabled</td></tr>"
+    end
+
+    @html_report_file.puts "</table>"
+
+    #Show what cluster authorization modes are supported.
+    @html_report_file.puts "<br><br>"
+    @html_report_file.puts "<br><br><h2>Kubernetes Authorization Options</h2>"
+    @html_report_file.puts "<table><thead><tr><th>Authorization Option</th><th>Enabled?</th></tr></thead>"
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*RBAC/}
+      @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Disabled</td></tr>"
+    end
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*ABAC/}
+      @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Disabled</td></tr>"
+    end
+
+    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*Webhook/}
+      @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Enabled</td></tr>"
+    else
+      @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Disabled</td></tr>"
+    end
+
+    @html_report_file.puts "</table>"    
+
+    @html_report_file.puts "<br><br><h2>Evidence</h2><br>"
+    @html_report_file.puts "<table><thead><tr><th>Area</th><th>Output</th></tr></thead>"
+    @results[@options.target_server]['evidence'].each do |area, output|
+      @html_report_file.puts "<tr><td>#{area}</td><td>#{output}</td></tr>"
+    end
+    @html_report_file.puts "</table>"  
+
+    #Only show this section if we were asked to dump the config
+    if @options.dump_config
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br><h2>Cluster Config Information</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Docker Images In Use</th></tr></thead>"
+      @results[@options.target_server][:config][:docker_images].each do |image|
+        @html_report_file.puts "<tr><td>#{image}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<table><thead><tr><th>Pod Name</th><th>Namespace</th><th>Service Account</th><th>Host IP</th><th>Pod IP</th></tr></thead>"
+      @results[@options.target_server][:config][:pod_info].each do |pod|
+        @html_report_file.puts "<tr><td>#{pod[:name]}</td><td>#{pod[:namespace]}</td><td>#{pod[:service_account]}</td><td>#{pod[:host_ip]}</td><td>#{pod[:pod_ip]}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<table><thead><tr><th>Service Name</th><th>Cluster IP</th><th>External IP</th><th>Port:Target Port</th></tr></thead>"
+      @results[@options.target_server][:config][:service_info].each do |service|
+
+        @html_report_file.puts "<tr><td>#{service[:name]}</td><td>#{service[:cluster_ip]}</td><td>#{service[:external_ip]}</td><td>#{service[:ports].join('<br>')}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+      @html_report_file.puts "<br><br>"
+    end
+
+    #Only show this section if we were asked to dump RBAC
+    if @options.audit_rbac
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br><h2>Cluster Role Information</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Name</th><th>Default?</th><th>Subjects</th><th>Rules</th></tr></thead>"
+      @results[@options.target_server][:rbac][:cluster_roles].each do |name, info|
+        subjects = ''
+        info[:subjects].each do |subject|
+          subjects << "#{subject[:kind]}:#{subject[:namespace]}:#{subject[:name]}<br>"
+        end
+        rules = ''
+        info[:rules].each do |rule|
+          unless rule.verbs
+            rule.verbs = Array.new
+          end
+          unless rule.apiGroups
+            rule.apiGroups = Array.new
+          end
+          unless rule.resources
+            rule.resources = Array.new
+          end
+          rules << "Verbs : #{rule.verbs.join(', ')}<br>API Groups : #{rule.apiGroups.join(', ')}<br>Resources : #{rule.resources.join(', ')}<br><hr>"
+        end
+        @html_report_file.puts "<tr><td>#{name}</td><td>#{info[:default]}</td><td>#{subjects}</td><td>#{rules}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+      @html_report_file.puts "<br><br>"
+    end
 
     #Closing the report off
     @html_report_file.puts '</body></html>'

data/lib/kube_auto_analyzer/version.rb

@@ -1,3 +1,3 @@
 module KubeAutoAnalyzer
-  VERSION = "0.0.15"
+  VERSION = "0.0.16"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kube_auto_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.16
 platform: ruby
 authors:
 - Rory McCune
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-17 00:00:00.000000000 Z
+date: 2018-06-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler