kube_auto_analyzer 0.0.16 → 0.0.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c660dfe01e6def5a3b1dd095f7adaabb69d008969cc74a324cdfd70dc0dcf6b0
-  data.tar.gz: 53caa82754a21d6f5f999edb74c9220581b19a2d8eaf3fa9c33614506dd0cbfc
+  metadata.gz: eea761191dd513070aa5d9ffc5167caa1ad52843859e123b1df799ea477200ee
+  data.tar.gz: ceb2d2e971cdd7d7dc64540cdd94bffbf23ae4a14889b5101532ccac7ceaf6c7
 SHA512:
-  metadata.gz: cbb9fb819e5bc084e46f02326984968117a0b735aeac4e0f2719990f80214510f3faeaccc5c634fbf22397d7c4f831d80de23deb075bdecd9199e63bc1c6351b
-  data.tar.gz: 5aada0ec4b8d64e05b665c105faef30502c34bfcc7d2902a10624fd8abb5d429faa985ca278a26e8c7bc1db2991b5aafdf731ae245c1f38129f53bff870564ba
+  metadata.gz: 7ead0e68c63947bec56b073ce0099702354a86bb52994168d7527596202b483ea7bcbf8b8b52c6881823679e83b2de7a4ce8cf0fedd8b295d6cc8381e77751ee
+  data.tar.gz: b34fe9a061933d9fa3f073f1dc16df34608d94989c211183492dc1a0bec7ded5f40ef40afeafd1cc7d1c3a96286fa71e47bc8f71bac062951ac4949faf2de23c

data/bin/kubeautoanalyzer

@@ -8,7 +8,7 @@
   options.report_directory = Dir.pwd
   options.report_file = 'kube-parse-report'
   options.target_server = 'http://127.0.0.1:8080'
-  options.html_report = false
+  options.html_report = true
   options.json_report = false
   options.token = ''
   options.token_file = ''
@@ -19,12 +19,13 @@
   options.nosslverify = false
   options.dump_config = false
   options.audit_rbac = false
+  options.cluster_version = '1.11'
+  options.cis_audit = false
 
   opts = OptionParser.new do |opts|
     opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
 
 
-
     #TODO: Need options for different authentication mechanisms      
     opts.on("-c", "--config [CONFIG]", "kubeconfig file to load") do |file|
       options.config_file = file
@@ -58,6 +59,10 @@
       options.token = token
     end
 
+    opts.on("-a", "--audit [AUDIT]", "CIS Audit against 1.8 Standard") do |audit|
+      options.cis_audit = true
+    end
+
     opts.on("-j", "--json", "Create a JSON report") do |json|
       options.json_report = true
     end

data/lib/kube_auto_analyzer.rb

@@ -4,6 +4,8 @@ module KubeAutoAnalyzer
   require "kube_auto_analyzer/api_checks/master_node"
   require "kube_auto_analyzer/api_checks/config_dumper"
   require "kube_auto_analyzer/api_checks/rbac_auditor"
+  require "kube_auto_analyzer/api_checks/authentication_checker"
+  require "kube_auto_analyzer/api_checks/authorization_checker"
   require "kube_auto_analyzer/reporting"
   require "kube_auto_analyzer/agent_checks/file_checks"
   require "kube_auto_analyzer/agent_checks/process_checks"
@@ -122,18 +124,24 @@ module KubeAutoAnalyzer
       puts "to see what's going wrong."
       exit
     end
-    test_api_server
-    test_scheduler
-    test_controller_manager
-    test_etcd
+    if @options.cis_audit
+      test_api_server
+      test_scheduler
+      test_controller_manager
+      test_etcd
+    end
+    check_authn
+    check_authz
     test_unauth_kubelet_external
     test_insecure_api_external
     if @options.agent_checks
       test_unauth_kubelet_internal
       test_insecure_api_internal
       test_service_token_internal
-      check_files
-      check_kubelet_process
+      if @options.cis_audit
+        check_files
+        check_kubelet_process
+      end
       check_amicontained
     end
     if @options.dump_config

data/lib/kube_auto_analyzer/api_checks/authentication_checker.rb

@@ -0,0 +1,54 @@
+module KubeAutoAnalyzer
+  def self.check_authn
+    @log.debug("Entering the Authentication Checker")
+    target = @options.target_server
+    @log.debug("Checking enabled Authentication Options on #{target}")
+    @results[target][:authn] = Hash.new
+    @results[target]['evidence'] = Hash.new
+    pods = @client.get_pods
+    pods.each do |pod|
+      if pod['metadata']['name'] =~ /kube-apiserver/
+        @api_server = pod
+      end
+    end
+
+    api_server_command_line = @api_server['spec']['containers'][0]['command']
+    if api_server_command_line.index{|line| line =~ /--basic-auth-file/}
+      @results[target][:authn][:basic] = true
+    else
+      @results[target][:authn][:basic] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--token-auth-file/}
+      @results[target][:authn][:token] = true
+    else
+      @results[target][:authn][:token] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--client-ca-file/}
+      @results[target][:authn][:certificate] = true
+    else
+      @results[target][:authn][:certificate] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--oidc-issuer-url/}
+      @results[target][:authn][:oidc] = true
+    else
+      @results[target][:authn][:oidc] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--authentication-token-webhook-config-file/}
+      @results[target][:authn][:webhook] = true
+    else
+      @results[target][:authn][:webhook] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--requestheader-username-headers/}
+      @results[target][:authn][:proxy] = true
+    else
+      @results[target][:authn][:proxy] = false
+    end
+    #Gather evidence for the API server
+    @results[target]['evidence']['API Server'] = api_server_command_line
+  end
+end

data/lib/kube_auto_analyzer/api_checks/authorization_checker.rb

@@ -0,0 +1,34 @@
+module KubeAutoAnalyzer
+  def self.check_authz
+    @log.debug("Entering the authorization checker")
+    target = @options.target_server
+    @log.debug("Checking enabled authorization options on #{target}")
+    @results[target][:authz] = Hash.new
+    pods = @client.get_pods
+    pods.each do |pod|
+      if pod['metadata']['name'] =~ /kube-apiserver/
+        @api_server = pod
+      end
+    end
+
+    api_server_command_line = @api_server['spec']['containers'][0]['command']
+    if api_server_command_line.index{|line| line =~ /--authorization-mode\S*RBAC/}
+      @results[target][:authz][:rbac] = true
+      
+    else
+      @results[target][:authz][:rbac] = false      
+    end
+
+    if api_server_command_line.index{|line| line =~ /--authorization-mode\S*ABAC/}
+      @results[target][:authz][:abac] = true
+    else
+      @results[target][:authz][:abac] = false
+    end
+
+    if api_server_command_line.index{|line| line =~ /--authorization-mode\S*Webhook/}
+      @results[target][:authz][:webhook] = true
+    else
+      @results[target][:authz][:webhook] = false
+    end
+  end
+end

data/lib/kube_auto_analyzer/api_checks/master_node.rb

@@ -5,7 +5,6 @@ module KubeAutoAnalyzer
     target = @options.target_server
     @log.debug("target is #{target}")
     @results[target]['api_server'] = Hash.new
-    @results[target]['evidence'] = Hash.new
     pods = @client.get_pods
     pods.each do |pod| 
       #Ok this is a bit naive as a means of hitting the API server but hey it's a start
@@ -246,7 +245,7 @@ module KubeAutoAnalyzer
 
     #1.1.37 This one is dubious for a pass/fail test as the value should be evaluated against the relity of the cluster.
 
-    @results[target]['evidence']['API Server'] = api_server_command_line
+    
   end
 
   def self.test_scheduler

data/lib/kube_auto_analyzer/reporting.rb

@@ -71,125 +71,127 @@ module KubeAutoAnalyzer
   <body>
   
     '
-    chartkick_path = File.join(__dir__, "js_files/chartkick.js")
-    chartkick = File.open(chartkick_path).read
-    highcharts_path = File.join(__dir__, "js_files/highcharts.js")
-    highcharts = File.open(highcharts_path).read
-    @html_report_file.puts "<script>#{chartkick}</script>"
-    @html_report_file.puts "<script>#{highcharts}</script>"
     @html_report_file.puts '<img width="100" height="100" align="right"' + " src=#{logo} />"
     @html_report_file.puts "<h1>Kubernetes Auto Analyzer</h1>"
     @html_report_file.puts "<br><b>Server Reviewed : </b> #{@options.target_server}"
-    @html_report_file.puts '<br><br><div class="master-node"><h2>Master Node Results</h2><br>'
-    #Charting setup counts for the passes and fails
-    api_server_pass = 0
-    api_server_fail = 0
-    @results[@options.target_server]['api_server'].each do |test, result|
-      if result == "Pass"
-        api_server_pass  = api_server_pass + 1
-      elsif result == "Fail"
-        api_server_fail = api_server_fail + 1
+    if @options.cis_audit
+      chartkick_path = File.join(__dir__, "js_files/chartkick.js")
+      chartkick = File.open(chartkick_path).read
+      highcharts_path = File.join(__dir__, "js_files/highcharts.js")
+      highcharts = File.open(highcharts_path).read
+      @html_report_file.puts "<script>#{chartkick}</script>"
+      @html_report_file.puts "<script>#{highcharts}</script>"
+      @html_report_file.puts '<br><br><div class="master-node"><h2>Master Node Results</h2><br>'
+      #Charting setup counts for the passes and fails
+      api_server_pass = 0
+      api_server_fail = 0
+      @results[@options.target_server]['api_server'].each do |test, result|
+        if result == "Pass"
+          api_server_pass  = api_server_pass + 1
+        elsif result == "Fail"
+          api_server_fail = api_server_fail + 1
+        end
       end
-    end
 
-    #Not a lot of point in scheduler when there's only one check...
-    #scheduler_pass = 0
-    #scheduler_fail = 0
-    #@results[@options.target_server]['scheduler'].each do |test, result|
-    #  if result == "Pass"
-    #    scheduler_pass  = scheduler_pass + 1
-    #  elsif result == "Fail"
-    #     scheduler_fail = scheduler_fail + 1
-    #  end
-    #end
-
-    controller_manager_pass = 0
-    controller_manager_fail = 0
-    @results[@options.target_server]['controller_manager'].each do |test, result|
-      if result == "Pass"
-        controller_manager_pass  = controller_manager_pass + 1
-      elsif result == "Fail"
-        controller_manager_fail = controller_manager_fail + 1
+      #Not a lot of point in scheduler when there's only one check...
+      #scheduler_pass = 0
+      #scheduler_fail = 0
+      #@results[@options.target_server]['scheduler'].each do |test, result|
+      #  if result == "Pass"
+      #    scheduler_pass  = scheduler_pass + 1
+      #  elsif result == "Fail"
+      #     scheduler_fail = scheduler_fail + 1
+      #  end
+      #end
+
+      controller_manager_pass = 0
+      controller_manager_fail = 0
+      @results[@options.target_server]['controller_manager'].each do |test, result|
+        if result == "Pass"
+          controller_manager_pass  = controller_manager_pass + 1
+        elsif result == "Fail"
+          controller_manager_fail = controller_manager_fail + 1
+        end
       end
-    end
 
-    etcd_pass = 0
-    etcd_fail = 0
-    @results[@options.target_server]['etcd'].each do |test, result|
-      if result == "Pass"
-        etcd_pass  = etcd_pass + 1
-      elsif result == "Fail"
-        etcd_fail = etcd_fail + 1
+      etcd_pass = 0
+      etcd_fail = 0
+      @results[@options.target_server]['etcd'].each do |test, result|
+        if result == "Pass"
+          etcd_pass  = etcd_pass + 1
+        elsif result == "Fail"
+          etcd_fail = etcd_fail + 1
+        end
       end
-    end
 
-    #Start of Chart Divs
-    @html_report_file.puts '<div class="container">'
-    #API Server Chart
-    @html_report_file.puts '<div class="fixed" id="chart-1" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
-    @html_report_file.puts '<script>new Chartkick.PieChart("chart-1", {"pass": ' + api_server_pass.to_s + ', "fail": ' + api_server_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"API Server Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
-    #Scheduler Chart
-    #@html_report_file.puts '<div class="flex-item" id="chart-2" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
-    #@html_report_file.puts '<script>new Chartkick.PieChart("chart-2", {"pass": ' + scheduler_pass.to_s + ', "fail": ' + scheduler_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"Scheduler Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
-    #Controller Manager Chart
-    @html_report_file.puts '<div class="fixed" id="chart-2" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
-    @html_report_file.puts '<script>new Chartkick.PieChart("chart-2", {"pass": ' + controller_manager_pass.to_s + ', "fail": ' + controller_manager_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"Controller Manager Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
-    #etcd Chart
-    @html_report_file.puts '<div class="fixed" id="chart-3" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
-    @html_report_file.puts '<script>new Chartkick.PieChart("chart-3", {"pass": ' + etcd_pass.to_s + ', "fail": ' + etcd_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"etcd Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
-    #End of Chart Divs
-    @html_report_file.puts '</div>'
-    @html_report_file.puts "<h2>API Server</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
-    @results[@options.target_server]['api_server'].each do |test, result|      
-      if result == "Fail"
-        result = '<span style="color:red;">Fail</span>'
-      elsif result == "Pass"
-        result = '<span style="color:green;">Pass</span>'
+      #Start of Chart Divs
+      @html_report_file.puts '<div class="container">'
+      #API Server Chart
+      @html_report_file.puts '<div class="fixed" id="chart-1" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
+      @html_report_file.puts '<script>new Chartkick.PieChart("chart-1", {"pass": ' + api_server_pass.to_s + ', "fail": ' + api_server_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"API Server Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
+      #Scheduler Chart
+      #@html_report_file.puts '<div class="flex-item" id="chart-2" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
+      #@html_report_file.puts '<script>new Chartkick.PieChart("chart-2", {"pass": ' + scheduler_pass.to_s + ', "fail": ' + scheduler_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"Scheduler Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
+      #Controller Manager Chart
+      @html_report_file.puts '<div class="fixed" id="chart-2" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
+      @html_report_file.puts '<script>new Chartkick.PieChart("chart-2", {"pass": ' + controller_manager_pass.to_s + ', "fail": ' + controller_manager_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"Controller Manager Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
+      #etcd Chart
+      @html_report_file.puts '<div class="fixed" id="chart-3" style="height: 300px; width: 300px; text-align: center; color: #999; line-height: 300px; font-size: 14px;font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;"></div>'
+      @html_report_file.puts '<script>new Chartkick.PieChart("chart-3", {"pass": ' + etcd_pass.to_s + ', "fail": ' + etcd_fail.to_s + '}, {"colors":["green","red"], "library":{"title":{"text":"etcd Results"},"chart":{"backgroundColor":"#F5F5F5"}}})</script>'
+      #End of Chart Divs
+      @html_report_file.puts '</div>'
+      @html_report_file.puts "<h2>API Server</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
+      @results[@options.target_server]['api_server'].each do |test, result|      
+        if result == "Fail"
+          result = '<span style="color:red;">Fail</span>'
+        elsif result == "Pass"
+          result = '<span style="color:green;">Pass</span>'
+        end
+        @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
       end
-      @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
-    end
-    @html_report_file.puts "</table>"
-    @html_report_file.puts "<br><br>"
-    @html_report_file.puts "<br><br><h2>Scheduler</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
-    @results[@options.target_server]['scheduler'].each do |test, result|      
-      if result == "Fail"
-        result = '<span style="color:red;">Fail</span>'
-      elsif result == "Pass"
-        result = '<span style="color:green;">Pass</span>'
+      @html_report_file.puts "</table>"
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br><h2>Scheduler</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
+      @results[@options.target_server]['scheduler'].each do |test, result|      
+        if result == "Fail"
+          result = '<span style="color:red;">Fail</span>'
+        elsif result == "Pass"
+          result = '<span style="color:green;">Pass</span>'
+        end
+        @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
       end
-      @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
-    end
-    @html_report_file.puts "</table>"
+      @html_report_file.puts "</table>"
 
-    @html_report_file.puts "<br><br>"
-    @html_report_file.puts "<br><br><h2>Controller Manager</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
-    @results[@options.target_server]['controller_manager'].each do |test, result|      
-      if result == "Fail"
-        result = '<span style="color:red;">Fail</span>'
-      elsif result == "Pass"
-        result = '<span style="color:green;">Pass</span>'
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br><h2>Controller Manager</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
+      @results[@options.target_server]['controller_manager'].each do |test, result|      
+        if result == "Fail"
+          result = '<span style="color:red;">Fail</span>'
+        elsif result == "Pass"
+          result = '<span style="color:green;">Pass</span>'
+        end
+        @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
       end
-      @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
-    end
-    @html_report_file.puts "</table>"
+      @html_report_file.puts "</table>"
 
-    @html_report_file.puts "<br><br>"
-    @html_report_file.puts "<br><br><h2>etcd</h2>"
-    @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
-    @results[@options.target_server]['etcd'].each do |test, result|      
-      if result == "Fail"
-        result = '<span style="color:red;">Fail</span>'
-      elsif result == "Pass"
-        result = '<span style="color:green;">Pass</span>'
+      @html_report_file.puts "<br><br>"
+      @html_report_file.puts "<br><br><h2>etcd</h2>"
+      @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
+      @results[@options.target_server]['etcd'].each do |test, result|      
+        if result == "Fail"
+          result = '<span style="color:red;">Fail</span>'
+        elsif result == "Pass"
+          result = '<span style="color:green;">Pass</span>'
+        end
+        @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
       end
-      @html_report_file.puts "<tr><td>#{test}</td><td>#{result}</td></tr>"
+      @html_report_file.puts "</table>"
+      #Close the master Node Div
+      @html_report_file.puts "</table></div>"
     end
-    @html_report_file.puts "</table>"
-    #Close the master Node Div
-    @html_report_file.puts "</table></div>"
 
 
     if @options.agent_checks
@@ -378,35 +380,35 @@ module KubeAutoAnalyzer
     @html_report_file.puts "<br><br><h1>Kubernetes Cluster Information</h1>"
     @html_report_file.puts "<br><br><h2>Kubernetes Authentication Options</h2>"
     @html_report_file.puts "<table><thead><tr><th>Authentication Option</th><th>Enabled?</th></tr></thead>"
-    if @results[@options.target_server]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] == "Fail"
+    if @results[@options.target_server][:authn][:basic] == true
       @html_report_file.puts "<tr><td>Basic Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Basic Authentication</td><td>Disabled</td></tr>"
     end
-    if @results[@options.target_server]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] == "Fail"
+    if @results[@options.target_server][:authn][:token] == true
       @html_report_file.puts "<tr><td>Token Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Token Authentication</td><td>Disabled</td></tr>"
     end
-    if @results[@options.target_server]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] == "Pass"
+    if @results[@options.target_server][:authn][:certificate] == true
       @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Client Certificate Authentication</td><td>Disabled</td></tr>"
     end
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--oidc-issuer-url/}
+    if @results[@options.target_server][:authn][:oidc] == true
       @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>OpenID Connect Authentication</td><td>Disabled</td></tr>"
     end
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authentication-token-webhook-config-file/}
+    if @results[@options.target_server][:authn][:webhook] == true
       @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Webhook Authentication</td><td>Disabled</td></tr>"
     end
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--requestheader-username-headers/}
+    if @results[@options.target_server][:authn][:proxy] == true
       @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Proxy Authentication</td><td>Disabled</td></tr>"
@@ -419,19 +421,19 @@ module KubeAutoAnalyzer
     @html_report_file.puts "<br><br><h2>Kubernetes Authorization Options</h2>"
     @html_report_file.puts "<table><thead><tr><th>Authorization Option</th><th>Enabled?</th></tr></thead>"
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*RBAC/}
+    if @results[@options.target_server][:authz][:rbac] == true
       @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Role Based Authorization</td><td>Disabled</td></tr>"
     end
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*ABAC/}
+    if @results[@options.target_server][:authz][:abac] == true
       @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Attribute Based Authorization</td><td>Disabled</td></tr>"
     end
 
-    if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*Webhook/}
+    if @results[@options.target_server][:authz][:webhook] == true
       @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Enabled</td></tr>"
     else
       @html_report_file.puts "<tr><td>Webhook Authorization</td><td>Disabled</td></tr>"

data/lib/kube_auto_analyzer/version.rb

@@ -1,3 +1,3 @@
 module KubeAutoAnalyzer
-  VERSION = "0.0.16"
+  VERSION = "0.0.17"
 end

data/lib/kube_auto_analyzer/vuln_checks/api_server.rb

@@ -18,6 +18,8 @@ module KubeAutoAnalyzer
           pods_resp = RestClient::Request.execute(:url => "http://#{nod}:8080/api",:method => :get)
         rescue RestClient::Forbidden
           pods_resp = "Not Vulnerable - Request Forbidden"
+        rescue RestClient::NotFound
+          pods_resp = "Not Vulnerable - Request Not Found"
         end
         @results[target]['vulns']['insecure_api_external'][nod] = pods_resp
       else

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kube_auto_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.0.16
+  version: 0.0.17
 platform: ruby
 authors:
 - Rory McCune
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-18 00:00:00.000000000 Z
+date: 2019-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -67,6 +67,8 @@ files:
 - lib/kube_auto_analyzer.rb
 - lib/kube_auto_analyzer/agent_checks/file_checks.rb
 - lib/kube_auto_analyzer/agent_checks/process_checks.rb
+- lib/kube_auto_analyzer/api_checks/authentication_checker.rb
+- lib/kube_auto_analyzer/api_checks/authorization_checker.rb
 - lib/kube_auto_analyzer/api_checks/config_dumper.rb
 - lib/kube_auto_analyzer/api_checks/master_node.rb
 - lib/kube_auto_analyzer/api_checks/rbac_auditor.rb
@@ -101,7 +103,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.0.beta3
 signing_key: 
 specification_version: 4
 summary: A Gem which provides a script and class analyze the security of a Kubernetes