kube_auto_analyzer 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 179347b988fdd1f2ad81a2275f688e70f486de38
-  data.tar.gz: 758db7c745076d8eaabe55a77b839304ebfa1dd7
+  metadata.gz: 8eef7acfe04e5060eb6da88237f8e5f719815625
+  data.tar.gz: 6fc041eaefc06167d3bc444c278447d3f1109d06
 SHA512:
-  metadata.gz: 96ec9cbe4b584861de6012d5bbbe09cc195936754984ec36c5d7c143c555f175f8f65c76821111c4fc95f9698f0b8bda4d8732e5a29fde3f2a260dd32b964d51
-  data.tar.gz: 0273af5e567d1f78d6cc92ff511fcb8bfdb1fc44996d5ceb86193121d4f700dc998b89887caac2d8cd61759d5eb3ad8eac6a16f422146383409de1e692c2b0dd
+  metadata.gz: d98679c3423bf84bbcfd24420b119cb0a23c191f20aa251d5a708c4e41c000785d6fa9d9d20ff08bf06abeca4f07b3519d98f27b43df15d81c477d41f70a009f
+  data.tar.gz: 0b36c63d370ca496e80887ede180407552b923a27a63baab4ec51c251a529c3bad0e3f09cb3ece71f82eaf690dfeff83b0fb80ba7b20240d53e42811edd7f4a9

data/bin/kubeautoanalyzer

@@ -12,21 +12,23 @@
   options.token = ''
   options.token_file = ''
   options.config_file = false
-  options.agent_file_checks = false
-  options.agent_process_checks = false
+  options.agent_checks = false
+  
 
   opts = OptionParser.new do |opts|
     opts.banner = "Kubernetes Auto Analyzer #{KubeAutoAnalyzer::VERSION}"
 
-    opts.on("-s", "--server [SERVER]", "Target Server") do |serv|
-      options.target_server = serv
-    end
+
 
     #TODO: Need options for different authentication mechanisms      
     opts.on("-c", "--config [CONFIG]", "kubeconfig file to load") do |file|
       options.config_file = file
     end
 
+    opts.on("-s", "--server [SERVER]", "Target Server") do |serv|
+      options.target_server = serv
+    end
+
     opts.on("-t", "--token [TOKEN]", "Bearer Token to Use") do |token|
       options.token = token
     end
@@ -43,12 +45,8 @@
       options.report_directory = rep
     end
 
-    opts.on("--fileChecks","Carry out File permission Checks (expermimental)") do |fc|
-      options.agent_file_checks = true
-    end
-
-    opts.on("--processChecks","Carry out agent based process Checks (expermimental)") do |fc|
-      options.agent_process_checks = true
+    opts.on("--agentChecks","Carry out Agent Based Checks ") do |fc|
+      options.agent_checks = true
     end
 
     opts.on("-h", "--help", "-?", "--?", "Get Help") do |help|

data/lib/kube_auto_analyzer/agent_checks/file_checks.rb

@@ -29,20 +29,20 @@ module KubeAutoAnalyzer
       pod.spec.containers[0].volumeMounts = [{mountPath: '/etc', name: 'etck8s'}]
       pod.spec.containers[0].args = ["/file-checker.rb","/etc/kubernetes"]
       pod.spec.nodeselector = {}
-      pod.spec.nodeselector['kubernetes.io/hostname'] = node_hostname
-      @client.create_pod(pod)
       begin
-        sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
-      rescue
-        retry
+        pod.spec.nodeselector['kubernetes.io/hostname'] = node_hostname
+        @client.create_pod(pod)
+        begin
+          sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+        rescue
+          retry
+        end
+        files = JSON.parse(@client.get_pod_log(container_name,"default"))
+      
+        @results[target]['worker_files'][node_hostname] = files
+      ensure
+        @client.delete_pod(container_name,"default")
       end
-      files = JSON.parse(@client.get_pod_log(container_name,"default"))
-      #files.each do |file|
-        #Need to replace the mounted path with the real host path
-      #  file[0].sub! "/hostetck8s", "/etc/kubernetes"
-      #end
-      @results[target]['worker_files'][node_hostname] = files
-      @client.delete_pod(container_name,"default")
 
     end
     @log.debug("Finished Worker File Check")

data/lib/kube_auto_analyzer/agent_checks/process_checks.rb

@@ -29,115 +29,125 @@ module KubeAutoAnalyzer
       pod.spec.hostPID = true
       pod.spec.nodeselector = {}
       pod.spec.nodeselector['kubernetes.io/hostname'] = node_hostname
-      @client.create_pod(pod)
       begin
-        sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
-      rescue
-        retry
-      end
-      processes = JSON.parse(@client.get_pod_log(container_name,"default"))
-      #puts processes
-      kubelet_proc = ''
-      processes.each do |proc|
-        if proc =~ /kubelet/
-          kubelet_proc = proc
+        @client.create_pod(pod)
+        begin
+          sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+        rescue
+          retry
+        end
+        processes = JSON.parse(@client.get_pod_log(container_name,"default"))
+        #If we didn't get more than one process, we're probably not reading the host ones
+        #So either it's a bug or we don't have rights
+        if processes.length < 2
+          @log.debug("Process Check failed didn't get the node process list")
+          @results[target]['kubelet_checks'][node_hostname]['Kubelet Not Found'] = "Error - couldn't see host process list"
+          @client.delete_pod(container_name,"default")
+          return
+        end
+        #puts processes
+        kubelet_proc = ''
+        processes.each do |proc|
+          if proc =~ /kubelet/
+            kubelet_proc = proc
+          end
+        end
+        @results[target]['kubelet_checks'][node_hostname] = Hash.new
+        unless kubelet_proc.length > 1
+          @results[target]['kubelet_checks'][node_hostname]['Kubelet Not Found'] = "Error"
+          @log.debug(processes)
+          @client.delete_pod(container_name,"default")
+          return
         end
-      end
-      @results[target]['kubelet_checks'][node_hostname] = Hash.new
-      unless kubelet_proc.length > 1
-        @results[target]['kubelet_checks'][node_hostname]['Kubelet Not Found'] = "Error"
-        @log.debug(processes)
-        @client.delete_pod(container_name,"default")
-        return
-      end
 
-      @results[target]['node_evidence'][node_hostname] = Hash.new
-      @results[target]['node_evidence'][node_hostname]['kubelet'] = kubelet_proc
+        @results[target]['node_evidence'][node_hostname] = Hash.new
+        @results[target]['node_evidence'][node_hostname]['kubelet'] = kubelet_proc
 
 
-      
-      #Checks
-      unless kubelet_proc =~ /--allow-privileged=false/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Pass"
-      end
+        
+        #Checks
+        unless kubelet_proc =~ /--allow-privileged=false/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.1 - Ensure that the --allow-privileged argument is set to false'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--anonymous-auth=false/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.2 - Ensure that the --anonymous-auth argument is set to false'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.2 - Ensure that the --anonymous-auth argument is set to false'] = "Pass"
-      end
+        unless kubelet_proc =~ /--anonymous-auth=false/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.2 - Ensure that the --anonymous-auth argument is set to false'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.2 - Ensure that the --anonymous-auth argument is set to false'] = "Pass"
+        end
 
-      if kubelet_proc =~ /--authorization-mode\S*AlwaysAllow/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Pass"
-      end
+        if kubelet_proc =~ /--authorization-mode\S*AlwaysAllow/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.3 - Ensure that the --authorization-mode argument is not set to AlwaysAllow'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--client-ca-file/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.4 - Ensure that the --client-ca-file argument is set as appropriate'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.4 - Ensure that the --client-ca-file argument is set as appropriate'] = "Pass"
-      end
+        unless kubelet_proc =~ /--client-ca-file/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.4 - Ensure that the --client-ca-file argument is set as appropriate'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.4 - Ensure that the --client-ca-file argument is set as appropriate'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--read-only-port=0/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.5 - Ensure that the --read-only-port argument is set to 0'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.5 - Ensure that the --read-only-port argument is set to 0'] = "Pass"
-      end
+        unless kubelet_proc =~ /--read-only-port=0/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.5 - Ensure that the --read-only-port argument is set to 0'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.5 - Ensure that the --read-only-port argument is set to 0'] = "Pass"
+        end
 
-      if kubelet_proc =~ /--streaming-connection-idle-timeout=0/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0'] = "Pass"
-      end
+        if kubelet_proc =~ /--streaming-connection-idle-timeout=0/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--protect-kernel-defaults=true/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true'] = "Pass"
-      end
+        unless kubelet_proc =~ /--protect-kernel-defaults=true/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true'] = "Pass"
+        end
 
-      if kubelet_proc =~ /--make-iptables-util-chains=false/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true'] = "Pass"
-      end
+        if kubelet_proc =~ /--make-iptables-util-chains=false/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--keep-terminated-pod-volumes=false/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.9 - that the --keep-terminated-pod-volumes argument is set to false'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.9 - Ensure that the --keep-terminated-pod-volumes argument is set to false'] = "Pass"
-      end
+        unless kubelet_proc =~ /--keep-terminated-pod-volumes=false/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.9 - that the --keep-terminated-pod-volumes argument is set to false'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.9 - Ensure that the --keep-terminated-pod-volumes argument is set to false'] = "Pass"
+        end
 
-      if kubelet_proc =~ /--hostname-override/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.10 - Ensure that the --hostname-override argument is not set'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.10 - Ensure that the --hostname-override argument is not set'] = "Pass"
-      end      
+        if kubelet_proc =~ /--hostname-override/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.10 - Ensure that the --hostname-override argument is not set'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.10 - Ensure that the --hostname-override argument is not set'] = "Pass"
+        end      
 
-      unless kubelet_proc =~ /--event-qps=0/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.11 - Ensure that the --event-qps argument is set to 0'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.11 - Ensure that the --event-qps argument is set to 0'] = "Pass"
-      end
+        unless kubelet_proc =~ /--event-qps=0/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.11 - Ensure that the --event-qps argument is set to 0'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.11 - Ensure that the --event-qps argument is set to 0'] = "Pass"
+        end
 
-      unless (kubelet_proc =~ /--tls-cert-file/) && (kubelet_proc =~ /--tls-private-key-file/)
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Pass"
-      end
+        unless (kubelet_proc =~ /--tls-cert-file/) && (kubelet_proc =~ /--tls-private-key-file/)
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.12 - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate'] = "Pass"
+        end
 
-      unless kubelet_proc =~ /--cadvisor-port=0/
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.13 - Ensure that the --cadvisor-port argument is set to 0'] = "Fail"
-      else
-        @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.13 - Ensure that the --cadvisor-port argument is set to 0'] = "Pass"
+        unless kubelet_proc =~ /--cadvisor-port=0/
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.13 - Ensure that the --cadvisor-port argument is set to 0'] = "Fail"
+        else
+          @results[target]['kubelet_checks'][node_hostname]['CIS 2.1.13 - Ensure that the --cadvisor-port argument is set to 0'] = "Pass"
+        end
+      #Need an ensure block here to make sure that the pod is deleted after its run  
+      ensure
+        @client.delete_pod(container_name,"default")
       end
 
-      #@results[target]['kubelet_checks'][node_hostname] = files
-      @client.delete_pod(container_name,"default")
-
     end
 
   end

data/lib/kube_auto_analyzer/reporting.rb

@@ -166,8 +166,8 @@ module KubeAutoAnalyzer
     end
     #Close the master Node Div
     @html_report_file.puts "</table></div>"
-    @html_report_file.puts '<br><br><div class="worker-node"><h2>Worker Node Results</h2>'
-    if @options.agent_process_checks
+    if @options.agent_checks
+      @html_report_file.puts '<br><br><div class="worker-node"><h2>Worker Node Results</h2>'
       @results[@options.target_server]['kubelet_checks'].each do |node, results|
         @html_report_file.puts "<br><b>#{node} Kubelet Checks</b>"
         @html_report_file.puts "<table><thead><tr><th>Check</th><th>result</th></tr></thead>"
@@ -194,7 +194,7 @@ module KubeAutoAnalyzer
     end
     #Close the Worker Node Div
     @html_report_file.puts '</div>'
-    if @options.agent_file_checks
+    if @options.agent_checks
       @html_report_file.puts '<br><h2>File Permissions</h2>'
       @results[@options.target_server]['worker_files'].each do |node, results|
         @html_report_file.puts "<br><b>#{node}</b><br>"
@@ -206,6 +206,81 @@ module KubeAutoAnalyzer
       end
     end
 
+    @html_report_file.puts '<br><h2>Vulnerability Checks</h2>'
+    @html_report_file.puts '<br><h3>External Unauthenticated Access to the Kubelet</h3>'
+    @html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
+    @results[@options.target_server]['vulns']['unauth_kubelet'].each do |node, result|
+      unless (result =~ /Forbidden/ || result =~ /Not Open/)
+        output = "Vulnerable"
+      else
+        output = result
+      end
+      @html_report_file.puts "<tr><td>#{node}</td><td>#{output}</td></tr>"
+    end
+    @html_report_file.puts "</table>"
+    if @options.agent_checks
+      @html_report_file.puts '<br><h3>Internal Unauthenticated Access to the Kubelet</h3>'
+      @html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
+      @results[@options.target_server]['vulns']['internal_kubelet'].each do |node, result|
+        unless (result =~ /Forbidden/ || result =~ /Not Open/)
+          output = "Vulnerable"
+        else
+          output = result
+        end
+        @html_report_file.puts "<tr><td>#{node}</td><td>#{output}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+    end
+
+    @html_report_file.puts '<br><h3>External Insecure API Port Exposed</h3>'
+    @html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
+    @results[@options.target_server]['vulns']['insecure_api_external'].each do |node, result|
+      unless (result =~ /Forbidden/ || result =~ /Not Open/)
+        output = "Vulnerable"
+      else
+        output = result
+      end
+      @html_report_file.puts "<tr><td>#{node}</td><td>#{output}</td></tr>"
+    end
+    @html_report_file.puts "</table>"
+    if @options.agent_checks
+      @html_report_file.puts '<br><h3>Internal Insecure API Port Exposed</h3>'
+      @html_report_file.puts "<table><thead><tr><th>Node IP Address</th><th>Result</th></thead>"
+      @results[@options.target_server]['vulns']['insecure_api_internal'].each do |node, result|
+        unless (result =~ /Forbidden/ || result =~ /Not Open/)
+          output = "Vulnerable"
+        else
+          output = result
+        end
+        @html_report_file.puts "<tr><td>#{node}</td><td>#{output}</td></tr>"
+      end
+      @html_report_file.puts "</table>"
+    end
+
+
+
+    @html_report_file.puts "<br><br><h2>Vulnerability Evidence</h2><br>"
+    @html_report_file.puts "<table><thead><tr><th>Vulnerability</th><th>Host</th><th>Output</th></tr></thead>"
+    @results[@options.target_server]['vulns']['unauth_kubelet'].each do |node, result|
+      @html_report_file.puts "<tr><td>External Unauthenticated Kubelet Access</td><td>#{node}</td><td>#{result}</td></tr>"   
+    end
+    if @options.agent_checks
+      @results[@options.target_server]['vulns']['internal_kubelet'].each do |node, result|
+        @html_report_file.puts "<tr><td>Internal Unauthenticated Kubelet Access</td><td>#{node}</td><td>#{result}</td></tr>"   
+      end
+    end
+    @results[@options.target_server]['vulns']['insecure_api_external'].each do |node, result|
+      @html_report_file.puts "<tr><td>External Insecure API Server Access</td><td>#{node}</td><td>#{result}</td></tr>"   
+    end
+    if @options.agent_checks
+      @results[@options.target_server]['vulns']['insecure_api_internal'].each do |node, result|
+        @html_report_file.puts "<tr><td>Internal Insecure API Server Access</td><td>#{node}</td><td>#{result}</td></tr>"   
+      end
+    end
+    @html_report_file.puts "</table>"
+
+
+    #Closing the report off
     @html_report_file.puts '</body></html>'
   end
 end

data/lib/kube_auto_analyzer/utility/network.rb

@@ -0,0 +1,15 @@
+module KubeAutoAnalyzer
+require 'socket'
+
+def self.is_port_open?(ip, port)
+  begin
+    Socket.tcp(ip, port, connect_timeout: 2)
+  rescue Errno::ECONNREFUSED
+    return false
+  rescue Errno::ETIMEDOUT
+    return false
+  end
+  true
+end
+
+end

data/lib/kube_auto_analyzer/version.rb

@@ -1,3 +1,3 @@
 module KubeAutoAnalyzer
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

data/lib/kube_auto_analyzer/vuln_checks/api_server.rb

@@ -0,0 +1,69 @@
+module KubeAutoAnalyzer
+
+  def self.test_insecure_api_external
+    @log.debug("Doing the external Insecure API check")
+    target = @options.target_server
+    unless @results[target]['vulns']
+      @results[target]['vulns'] = Hash.new
+    end
+    @results[target]['vulns']['insecure_api_external'] = Hash.new
+    #Check for whether the Insecure API port is visible outside the cluster
+    nodes = Array.new
+    @client.get_nodes.each do |node|
+      nodes << node['status']['addresses'][0]['address']
+    end
+    nodes.each do |nod|
+      if is_port_open?(nod, 8080)
+        begin
+          pods_resp = RestClient::Request.execute(:url => "http://#{nod}:8080/api",:method => :get)
+        rescue RestClient::Forbidden
+          pods_resp = "Not Vulnerable - Request Forbidden"
+        end
+        @results[target]['vulns']['insecure_api_external'][nod] = pods_resp
+      else
+        @results[target]['vulns']['insecure_api_external'][nod] = "Not Vulnerable - Port Not Open"
+      end
+    end
+  end
+
+  #This is somewhat awkward placement.  Deployment mechanism sits more with the agent checks
+  #But from a "what it's looking for" perspective, as a weakness in API Server, it makes more sense here.
+  def self.test_insecure_api_internal
+    require 'json'
+
+    @log.debug("Doing the internal Insecure API Server check")
+    target = @options.target_server
+    @results[target]['vulns']['insecure_api_internal'] = Hash.new
+    nodes = Array.new
+    @client.get_nodes.each do |node|
+      nodes << node['status']['addresses'][0]['address']
+    end
+    container_name = "kaainsecureapitest"
+    pod = Kubeclient::Resource.new
+    pod.metadata = {}
+    pod.metadata.name = container_name
+    pod.metadata.namespace = "default"
+    pod.spec = {}
+    pod.spec.restartPolicy = "Never"
+    pod.spec.containers = {}
+    pod.spec.containers = [{name: "kubeautoanalyzerapitest", image: "raesene/kaa-agent:latest"}]
+    pod.spec.containers[0].args = ["/api-server-checker.rb",nodes.join(',')]
+    begin
+      @log.debug("About to start API Server check pod")
+      @client.create_pod(pod)
+      @log.debug("Executed the create pod")
+      begin
+        sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+      rescue
+        retry
+      end
+      @log.debug ("started Kube API Check pod")
+      results = JSON.parse(@client.get_pod_log(container_name,"default"))
+      results.each do |node, results|
+        @results[target]['vulns']['insecure_api_internal'][node] = results
+      end
+    ensure
+      @client.delete_pod(container_name,"default")
+    end
+  end
+end

data/lib/kube_auto_analyzer/vuln_checks/kubelet.rb

@@ -0,0 +1,69 @@
+module KubeAutoAnalyzer
+
+  def self.test_unauth_kubelet_external
+    @log.debug("Doing the external kubelet check")
+    target = @options.target_server
+    unless @results[target]['vulns']
+      @results[target]['vulns'] = Hash.new
+    end
+    @results[target]['vulns']['unauth_kubelet'] = Hash.new
+    #Check for whether the Kubelet port is visible outside the cluster
+    nodes = Array.new
+    @client.get_nodes.each do |node|
+      nodes << node['status']['addresses'][0]['address']
+    end
+    nodes.each do |nod|
+      if is_port_open?(nod, 10250)
+        begin
+          pods_resp = RestClient::Request.execute(:url => "https://#{nod}:10250/runningpods",:method => :get, :verify_ssl => false)
+        rescue RestClient::Forbidden
+          pods_resp = "Not Vulnerable - Request Forbidden"
+        end
+        @results[target]['vulns']['unauth_kubelet'][nod] = pods_resp
+      else
+        @results[target]['vulns']['unauth_kubelet'][nod] = "Not Vulnerable - Port Not Open"
+      end
+    end
+  end
+
+  #This is somewhat awkward placement.  Deployment mechanism sits more with the agent checks
+  #But from a "what it's looking for" perspective, as a weakness in Kubelet, it makes more sense here.
+  def self.test_unauth_kubelet_internal
+    require 'json'
+
+    @log.debug("Doing the internal kubelet check")
+    target = @options.target_server
+    @results[target]['vulns']['internal_kubelet'] = Hash.new
+    nodes = Array.new
+    @client.get_nodes.each do |node|
+      nodes << node['status']['addresses'][0]['address']
+    end
+    container_name = "kaakubeletunauthtest"
+    pod = Kubeclient::Resource.new
+    pod.metadata = {}
+    pod.metadata.name = container_name
+    pod.metadata.namespace = "default"
+    pod.spec = {}
+    pod.spec.restartPolicy = "Never"
+    pod.spec.containers = {}
+    pod.spec.containers = [{name: "kubeautoanalyzerkubelettest", image: "raesene/kaa-agent:latest"}]
+    pod.spec.containers[0].args = ["/kubelet-checker.rb",nodes.join(',')]
+    begin
+      @log.debug("About to start Kubelet check pod")
+      @client.create_pod(pod)
+      @log.debug("Executed the create pod")
+      begin
+        sleep(5) until @client.get_pod(container_name,"default")['status']['containerStatuses'][0]['state']['terminated']['reason'] == "Completed"
+      rescue
+        retry
+      end
+      @log.debug ("started Kubelet Check pod")
+      results = JSON.parse(@client.get_pod_log(container_name,"default"))
+      results.each do |node, results|
+        @results[target]['vulns']['internal_kubelet'][node] = results
+      end
+    ensure
+      @client.delete_pod(container_name,"default")
+    end
+  end
+end

data/lib/kube_auto_analyzer.rb

@@ -5,6 +5,9 @@ module KubeAutoAnalyzer
   require "kube_auto_analyzer/reporting"
   require "kube_auto_analyzer/agent_checks/file_checks"
   require "kube_auto_analyzer/agent_checks/process_checks"
+  require "kube_auto_analyzer/vuln_checks/kubelet"
+  require "kube_auto_analyzer/vuln_checks/api_server"
+  require "kube_auto_analyzer/utility/network"
   
 
   def self.execute(commmand_line_opts)
@@ -64,27 +67,32 @@ module KubeAutoAnalyzer
       )
       #We didn't specify the target on the command line so lets get it from the config file
       @options.target_server = config.context.api_endpoint
+      @log.debug("target is " + @options.target_server)
       @results[config.context.api_endpoint] = Hash.new
     end
     #Test response
     begin
       @client.get_pods.to_s
     rescue
-      puts "whoops that didn't go well"
+      puts "Check of API connection failed."
+      puts "try using kubectl with the same connection details"
+      puts "to see what's going wrong."
       exit
     end
     test_api_server
     test_scheduler
     test_controller_manager
     test_etcd
-    if @options.agent_file_checks
+    test_unauth_kubelet_external
+    test_insecure_api_external
+    if @options.agent_checks
+      test_unauth_kubelet_internal
+      test_insecure_api_internal
       check_files
-    end
-    if @options.agent_process_checks
       check_kubelet_process
     end
-
-    report
     html_report
   end
+
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kube_auto_analyzer
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Rory McCune
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-19 00:00:00.000000000 Z
+date: 2017-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -70,7 +70,10 @@ files:
 - lib/kube_auto_analyzer/api_checks/master_node.rb
 - lib/kube_auto_analyzer/data-logo.b64
 - lib/kube_auto_analyzer/reporting.rb
+- lib/kube_auto_analyzer/utility/network.rb
 - lib/kube_auto_analyzer/version.rb
+- lib/kube_auto_analyzer/vuln_checks/api_server.rb
+- lib/kube_auto_analyzer/vuln_checks/kubelet.rb
 homepage: https://github.com/nccgroup/kube-auto-analyzer
 licenses:
 - AGPL