A Blazing fast Security Auditing tool for Kubernetes

Related tags

DevOps Toolsdockerkubernetesawssecuritysecurity-auditautomationazurecontainersgcpgkeinfosecsecurity-toolsakseksinformationsecurity
Overview


A Blazing fast Security Auditing tool for kubernetes!!

Python Dependencies Contributions welcome GitHub Issues Release Stars Badge Last Commit Date Hits Maintenance made-with-python License

Basic Overview

Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.

kubestriker is Platform agnostic and works equally well across more than one platform such as self hosted kubernetes, Amazon EKS, Azure AKS, Google GKE etc.

Table of content

How To Install

Clone the repo and install

To install this tool or clone and run this application, you'll need Git, python3 and pip installed on your computer. It is advised you install this tool in virtual environment

From your command line:

# Create python virtual environment
$ python3 -m venv env

# Activate python virtual environment
$ source env/bin/activate

# Clone this repository
$ git clone https://github.com/vchinnipilli/kubestriker.git

# Go into the repository
$ cd kubestriker

# Install dependencies
$ pip install -r requirements.txt

# Incase of prompt toolkit or selectmenu errors
$ pip install prompt-toolkit==1.0.15 
$ pip install -r requirements.txt

# Gearing up Kubestriker
$ python -m kubestriker

# Result will be generated in the current working directory with the name of the target

Install using pip

To install and run this application, you'll need pip installed on your computer. From your command line:

# Create python virtual environment
$ python3 -m venv env

# Activate python virtual environment
$ source env/bin/activate

# Install using pip
$ pip install kubestriker

# Incase of prompt toolkit or selectmenu errors
$ pip install prompt-toolkit==1.0.15 
$ pip install kubestriker

# Gearing up Kubestriker
$ python -m kubestriker

# Result will be generated in the current working directory with the name of the target

How to spin up kubestriker container

Use this link to view the Kubestriker container latest releases

# Spinning up the kubestriker Container
$ docker run -it --rm -v /Users/vasantchinnipilli/.kube/config:/root/.kube/config -v "$(pwd)":/kubestriker --name kubestriker cloudsecguy/kubestriker:v1.0.0

# Replace the user vasantchinnipilli above with your username or absolute path of kube config file
$ docker run -it --rm -v /Users/<yourusername>/.kube/config:/root/.kube/config -v "$(pwd)":/kubestriker --name kubestriker cloudsecguy/kubestriker:v1.0.0

# Gearing up Kubestriker
$ python -m kubestriker

# Result will be generated in the current working directory with the name of the target

Types of Scans

Authenticated scans

Authenticated scan expects the user to have atleast read-only privileges and provide a token during the scan. please use the below provided links to create read-only users

Create read-only user for Amazon eks
Create read-only user for Azure aks
Create read-only user for Google gke
Create a subject using Role based access control

# To grab a token from eks cluster
$ aws eks get-token --cluster-name cluster-name --region ap-southeast-2

# To grab a token from aks cluster
$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

# To grab a token from gke cluster
$ gcloud container clusters get-credentials CLUSTER_NAME --zone=COMPUTE_ZONE

# To grab a token from service account
$ kubectl -n namespace get secret serviceaccount-token -o jsonpath='{.data.token}'

# To grab a token from a pod directly or via command execution bug
$ cat /run/secrets/kubernetes.io/serviceaccount/token

Unauthenticated scans

Unauthenticated scan will be successful incase of anonymous access is permitted on the target cluster

Identifying an open Insecure port on kubernetes master node

Identifying a worker Node with kubelet readwrite and readonly ports open

Current Capabilities

  • Scans Self Managed and cloud provider managed kubernetes infra
  • Reconnaissance phase checks for various services or open ports
  • Performs automated scans incase of insecure, readwrite or readonly services are enabled
  • Performs both authenticated scans and unauthenticated scans
  • Scans for wide range of IAM Misconfigurations in the cluster
  • Scans for wide range of Misconfigured containers
  • Scans for wide range of Misconfigured Pod Security Policies
  • Scans for wide range of Misconfigured Network policies
  • Scans the privileges of a subject in the cluster
  • Run commands on the containers and streams back the output
  • Provides the endpoints of the misconfigured services
  • Provides possible privilege escalation details
  • Elaborative report with detailed explanation

Future improvements

  • Automated exploitation based on the issues identified
  • api and cicd automation friendly
  • A Decent FrontEnd to make the lives easier

Suggestions

Kubestriker is an opensource and emailware. Meaning, if you liked using this tool or it has helped you in any way or if you have any suggestions/improvements, I'd like you send me an email at [email protected] about anything you'd want to say about this tool. I'd really appreciate it!

Contributors

Statistics

License

Apache License

Support

vasant chinnipilli builds and maintains kubestriker to audit and secure kubernetes infrastructure.

Start with Documentation - will be available soon for quick tutorials and examples.

If you need direct support you can contact me at [email protected].

Find me here!!

cloudsecguy.dev Linkedin Badge Instagram Badge Medium Badge Gmail Badge

Comments
  • Doesn't work with my kubeconfig file.

    Doesn't work with my kubeconfig file. 

    apiVersion: v1
kind: Config
clusters:
- name: "xxxx-cluster7"
  cluster:
    server: "https://xxxxx.com/k8s/clusters/c-hkpbf"

users:
- name: "xxxx-cluster7"
  user:
    token: "kubeconfig-user-swrnv:*******************************************************"


contexts:
- name: "xxxx-cluster7"
  context:
    user: "xxxx-cluster7"
    cluster: "xxxx-cluster7"

current-context: "xxxx-cluster7"

    After selecting option 2 (configfile) -> default, it gives me HTTPS URL to select and then it fails. saying input is not valid.

    opened by anjuls 6
  • authenticated scan fails - invalid token

    authenticated scan fails - invalid token

    Hi Not sure what's wrong here. I created a serviceaccount ro:

    apiVersion: v1
kind: ServiceAccount
metadata:
  name: serviceaccountro

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: serviceaccountro
rules:
  - apiGroups: [""]
    resources:
      - configmaps
      - secrets
      - nodes
      - pods
      - services
      - resourcequotas
      - replicationcontrollers
      - limitranges
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling.k8s.io"]
    resources:
      - verticalpodautoscalers
    verbs: ["list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: serviceaccountro
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: serviceaccountro
subjects:
- kind: ServiceAccount
  name: serviceaccountro
  namespace: default

    Not sure if the token has be encrypted or not ... but I tried both, without success:

    Provide token :
 -----------------------------------------------
< Could not autheticate with the provided token >
 -----------------------------------------------
          \  ^__^
           \ (oo)\________
             (__)\        )\/\
                  ||----W |
                  ||     ||

    Any tips for a self-hosted K8S cluster? Thanks

    opened by strus38 3
  • Reports duplicates and IPs in default config

    Reports duplicates and IPs in default config

    Choose one of the below url: (Use arrow keys)

    https://kubernetes.docker.internal:6443 https://10.213.11.210 https://10.213.11.226 https://10.213.13.210 https://10.213.15.146 https://10.213.13.146 https://192.168.13.210 https://192.168.15.210 https://192.168.17.210 https://192.168.13.210 https://192.168.11.210 https://192.168.13.210 https://192.168.15.210 https://192.168.17.210 https://192.168.15.210 https://192.168.11.210 https://10.214.7.226 https://10.214.7.210 https://10.214.33.146 https://10.212.22.18 https://192.168.11.146 https://192.168.11.146 https://10.212.221.242

    Looks like there are duplicates above? And also should be cluster names instead of IPs?

    opened by pankajmt 3
  • Docker

    Docker "Provide token : " input

    Hello!

    I am trying to run an authenticated scan using the docker image v1.0.0. It discovers ok based on the kubeconfig but when I get to the prompt that reads Provide token : I can't enter anything. I am trying to paste in a token. Can't type anything either. It does say choose one of the below options (use arrow keys) but it falls right through to the prompt. Am I doing it wrong?

    Thank you

    opened by geragcp 2
  • PyYAML < 5.4 (CVE-2020-14343)

    PyYAML < 5.4 (CVE-2020-14343)

    There is an issue with PyYAML 5.4 fixes CVE-2020-14343, see https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES

    https://github.com/vchinnipilli/kubestriker/blob/80051038c07b883dff2584f1eee6c45446f4249f/requirements.txt#L8

    see also #14

    opened by fabaff 2
  • Release pinning

    Release pinning

    In the requirements.txt file are the dependencies pinned to specific releases. This is in issue for package maintainers as distributions usually ship later releases or at least different releases.

    Any change that you could soften the version constrains?

    opened by fabaff 2
  • Install issue

    Install issue

    Novice in Python and its ecosystem

    pip install -r requirements.txt Collecting colorama==0.4.4 (from -r requirements.txt (line 1)) Downloading https://files.pythonhosted.org/packages/44/98/5b86278fbbf250d239ae0ecb724f8572af1c91f4a11edf4d36a206189440/colorama-0.4.4-py2.py3-none-any.whl Collecting colored==1.4.2 (from -r requirements.txt (line 2)) Downloading https://files.pythonhosted.org/packages/b2/16/04827e24c14266d9161bd86bad50069fea453fa006c3d2b31da39251184a/colored-1.4.2.tar.gz (56kB) |████████████████████████████████| 61kB 4.0MB/s Collecting figlet==0.0.1 (from -r requirements.txt (line 3)) Downloading https://files.pythonhosted.org/packages/cc/43/b0773f2deb50509b572206256069b2e0bb2babf406b39a116b1dc29e002d/figlet-0.0.1-py3-none-any.whl Collecting progress==1.5 (from -r requirements.txt (line 4)) Downloading https://files.pythonhosted.org/packages/38/ef/2e887b3d2b248916fc2121889ce68af8a16aaddbe82f9ae6533c24ff0d2b/progress-1.5.tar.gz Collecting prompt-toolkit==1.0.15 (from -r requirements.txt (line 5)) Downloading https://files.pythonhosted.org/packages/04/d1/c6616dd03701e7e2073f06d5c3b41b012256e42b72561f16a7bd86dd7b43/prompt_toolkit-1.0.15-py3-none-any.whl (247kB) |████████████████████████████████| 256kB 5.8MB/s Collecting SelectMenu (from -r requirements.txt (line 6)) Downloading https://files.pythonhosted.org/packages/cd/b9/8078a7f34c5b877e7fa26e5c5c5f62cbc765d44c949dd672a29aef62089a/SelectMenu-1.0.0b2.tar.gz ERROR: Command errored out with exit status 1: command: /Users/ptolani/greaterbank/infosec/kubestrike/env/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py'"'"'; file='"'"'/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base pip-egg-info cwd: /private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/ Complete output (9 lines): Traceback (most recent call last): File "", line 1, in File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py", line 5, in from selectmenu import author, version File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/selectmenu/init.py", line 4, in from selectmenu.core import SelectMenu File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/selectmenu/core.py", line 6, in from prompt_toolkit.token import Token ModuleNotFoundError: No module named 'prompt_toolkit' ---------------------------------------- ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.

    opened by pankajmt 2
  • Unable to access the web-ui

    Unable to access the web-ui

    Hello @vasantchinnipilli!

    I've installed the kubestriker in EKS using the yaml files as documented here: https://www.kubestriker.io/-deploying-kubestriker

    I have edited the ingress resource within the web-app.yaml to have a host path so that I can have a domain name to access the UI.

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubestriker-ui-ingress
  namespace: kubestriker
  annotations:
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, PATCH, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-origin: "*"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
spec:
  rules:
  - host: kubestriker.eks.sandbox.ap2.<company domain>
    http:
      paths:
      - path: /
        backend:
          serviceName: python-svc
          servicePort: 8080

    I have a Route53 endpoint for *.eks.sandbox.ap2.. I have other deployments like Falco, Kiali etc which I have been accessing in the similar manner.

    I have edited the API_URL environment variable in the web-app.yaml with the endpoint of the ELB and also the hostname of kubestriker.eks.sandbox.ap2. but I get the following error.

    image

    and the logs in the kubestriker-python pod is this:

    [26/May/2021 23:54:11] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:54:40] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:04] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:05] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:06] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:56:28] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:57:59] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:00] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:01] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:03] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:05] "GET / HTTP/1.1" 404 2070

    Can you please suggest on what should I be doing different?

    opened by ghost 0
  • Could not authenticate with the provided token

    Could not authenticate with the provided token

    Hello Vasant,

    I got a fresh valid token but it fails to authenticate: <Response [401]>

    it succeeded only once and every other attempt failed. Do you know what could be the cause?

    Thanks, Dmitry

    opened by dgolovin-deloitte 0
  • Unable to build due to dependencies error

    Unable to build due to dependencies error

    When applying the procedure described by the Install procedure, the execution of the pip install -r requirements.txt does not completes due to errors with missing figlet dependency. Apparently figlet is not present anymore in PyPy repo....

    This error is preventing me to complete the installation. This issue has been verified on different linux runtimes with updated python3 and pip environments.

    Follows transcript of failed command.

    ─$ pip install -r requirements.txt Collecting colorama==0.4.4 Using cached colorama-0.4.4-py2.py3-none-any.whl (16 kB) Collecting colored==1.4.2 Using cached colored-1.4.2.tar.gz (56 kB) Preparing metadata (setup.py) ... done ERROR: Could not find a version that satisfies the requirement figlet==0.0.1 (from versions: none)
    ERROR: No matching distribution found for figlet==0.0.1

    opened by ibox0 0
  • Specify port for KubeServer

    Specify port for KubeServer

    Right now, it looks like it's simply scanning 3 ports:

    ports = [443, 6443, 8443]

    In my case, I have the API on a random higher level IP (microk8s default install chooses a port at random). There doesn't appear to be anyway I can have it ignore the 443 it finds (Which is simply an nginx server), and use the one I specify.

    opened by danbopes 0
  • Misconfiguration in curl query strings

    Misconfiguration in curl query strings

    Hi, Firstly, awesome project!

    1. I can't seem to find FE and BE endpoint codes. Are they open sourced too? I am currently pulling from the docker container.
    2. As you can see the image, there is no token= appended. Thus, token is not working. I've manually sent a curl with = and its working. image

    Basically this happens when you are adding a Generic k8s cluster from FE ^. Should be an easy fix.

    opened by kutysam 0
  • prompt_toolkit why stuck on very old version

    prompt_toolkit why stuck on very old version

    prompt toolkit is now in version 3.X branch and this project still forces installation of a older 1.X version. Unless people use venv this breaks other tools. Why stick with older version of dependecy and not move to new one.

    https://python-prompt-toolkit.readthedocs.io/en/master/pages/upgrading/2.0.html

    Any specific reason why sticking to older version here.

    opened by anantshri 1
Releases(v1.2.0)
Owner
Vasant Chinnipilli
Vasant Chinnipilli
GitHub Repository https://github.com/vchinnipilli/kubestriker
Oncall is a calendar tool designed for scheduling and managing on-call shifts. It can be used as source of dynamic ownership info for paging systems like http://iris.claims.

Oncall See admin docs for information on how to run and manage Oncall. Development setup Prerequisites Debian/Ubuntu - sudo apt-get install libsasl2-d

LinkedIn 928 Dec 22, 2022
Chartreuse: Automated Alembic migrations within kubernetes

Chartreuse: Automated Alembic SQL schema migrations within kubernetes "How to automate management of Alembic database schema migration at scale using

Wiremind 8 Oct 25, 2022
A Python library for the Docker Engine API

Docker SDK for Python A Python library for the Docker Engine API. It lets you do anything the docker command does, but from within Python apps – run c

Docker 6.1k Dec 31, 2022
Big data on k8s

# microsoft azure # https://docs.microsoft.com/en-us/cli/azure/install-azure-cli az account set --subscription [] az aks get-credentials --resource-g

Luan Moreno 22 Dec 24, 2022
Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration.

Weaveworks 1.1k Dec 30, 2022
Get Response Of Container Deployment Kube with python

get-response-of-container-deployment-kube 概要 get-response-of-container-deployment-kube は、例えばエッジコンピューティング環境のコンテナデプロイメントシステムにおいて、デプロイ元の端末がデプロイ先のコンテナデプロイ

Latona, Inc. 3 Nov 05, 2021
Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty

Cabot Maintainers wanted Cabot is stable and used by hundreds of companies and individuals in production, but it is not actively maintained. We would

Arachnys 5.4k Dec 23, 2022
Phonebook application to manage phone numbers

PhoneBook Phonebook application to manage phone numbers. How to Use run main.py python file. python3 main.py Links Download Source Code: Click Here M

Mohammad Dori 3 Jul 15, 2022
Nagios status monitor for your desktop.

Nagstamon Nagstamon is a status monitor for the desktop. It connects to multiple Nagios, Icinga, Opsview, Centreon, Op5 Monitor/Ninja, Checkmk Multisi

Henri Wahl 361 Jan 05, 2023
Emissary - open source Kubernetes-native API gateway for microservices built on the Envoy Proxy

Emissary-ingress Emissary-Ingress is an open-source Kubernetes-native API Gateway + Layer 7 load balancer + Kubernetes Ingress built on Envoy Proxy. E

Emissary Ingress 4k Dec 31, 2022
Daemon to ban hosts that cause multiple authentication errors

__ _ _ ___ _ / _|__ _(_) |_ ) |__ __ _ _ _ | _/ _` | | |/ /| '_ \/ _` | ' \

Fail2Ban 7.8k Jan 09, 2023
A cron monitoring tool written in Python & Django

Healthchecks Healthchecks is a cron job monitoring service. It listens for HTTP requests and email messages ("pings") from your cron jobs and schedule

Healthchecks 5.8k Jan 02, 2023
SSH tunnels to remote server.

Author: Pahaz Repo: https://github.com/pahaz/sshtunnel/ Inspired by https://github.com/jmagnusson/bgtunnel, which doesn't work on Windows. See also: h

Pavel White 1k Dec 28, 2022
Python IMDB Docker - A docker tutorial to containerize a python script.

Python_IMDB_Docker A docker tutorial to containerize a python script. Build the docker in the current directory: docker build -t python-imdb . Run the

Sarthak Babbar 1 Dec 30, 2021
Deploy a simple Multi-Node Clickhouse Cluster with docker-compose in minutes.

Simple Multi Node Clickhouse Cluster I hate those single-node clickhouse clusters and manually installation, I mean, why should we: Running multiple c

Nova Kwok 11 Nov 18, 2022
Bitnami Docker Image for Python using snapshots for the system packages repositories

Python Snapshot packaged by Bitnami What is Python Snapshot? Python is a programming language that lets you work quickly and integrate systems more ef

Bitnami 1 Jan 13, 2022
Kube kombu - Running kombu consumers with support of liveness probe for kubernetes

Setup and Running Kombu consumers Steps: Install python 3.9 or greater on your s

Anmol Porwal 5 Dec 10, 2022
GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub

GitGoat is an open source tool that was built to enable DevOps and Engineering teams to design and implement a sustainable misconfiguration prevention strategy. It can be used to test with products w

Arnica 149 Dec 22, 2022
DAMPP (gui) is a Python based program to run simple webservers using MySQL, Php, Apache and PhpMyAdmin inside of Docker containers.

DAMPP (gui) is a Python based program to run simple webservers using MySQL, Php, Apache and PhpMyAdmin inside of Docker containers.

Sehan Weerasekara 1 Feb 19, 2022
Official Python client library for kubernetes

Kubernetes Python Client Python client for the kubernetes API. Installation From source: git clone --recursive https://github.com/kubernetes-client/py

Kubernetes Clients 5.4k Jan 02, 2023