vchinnipilli / kubestriker Goto Github PK
View Code? Open in Web Editor NEWA Blazing fast Security Auditing tool for Kubernetes
Home Page: https://github.com/vchinnipilli/kubestriker
License: Apache License 2.0
A Blazing fast Security Auditing tool for Kubernetes
Home Page: https://github.com/vchinnipilli/kubestriker
License: Apache License 2.0
I have been advised to provide output in json format too
Feature request
Include common TLS certificate vulnerabilities and mis-configurations...
Poor strength ciphers etc...
Wildcard certificates...
POODLE etc...
apiVersion: v1
kind: Config
clusters:
- name: "xxxx-cluster7"
cluster:
server: "https://xxxxx.com/k8s/clusters/c-hkpbf"
users:
- name: "xxxx-cluster7"
user:
token: "kubeconfig-user-swrnv:*******************************************************"
contexts:
- name: "xxxx-cluster7"
context:
user: "xxxx-cluster7"
cluster: "xxxx-cluster7"
current-context: "xxxx-cluster7"
After selecting option 2 (configfile) -> default, it gives me HTTPS URL to select and then it fails. saying input is not valid.
Hi,
Error: settings.DATABASES is improperly configured. Please supply the ENGINE value. Check settings documentation for more details.
Hi
Not sure what's wrong here.
I created a serviceaccount ro:
apiVersion: v1
kind: ServiceAccount
metadata:
name: serviceaccountro
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: serviceaccountro
rules:
- apiGroups: [""]
resources:
- configmaps
- secrets
- nodes
- pods
- services
- resourcequotas
- replicationcontrollers
- limitranges
- persistentvolumeclaims
- persistentvolumes
- namespaces
- endpoints
verbs: ["list", "watch"]
- apiGroups: ["extensions"]
resources:
- daemonsets
- deployments
- replicasets
- ingresses
verbs: ["list", "watch"]
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources:
- cronjobs
- jobs
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources:
- poddisruptionbudgets
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- certificatesigningrequests
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources:
- storageclasses
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources:
- poddisruptionbudgets
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources:
- certificatesigningrequests
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources:
- storageclasses
verbs: ["list", "watch"]
- apiGroups: ["autoscaling.k8s.io"]
resources:
- verticalpodautoscalers
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: serviceaccountro
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: serviceaccountro
subjects:
- kind: ServiceAccount
name: serviceaccountro
namespace: default
Not sure if the token has be encrypted or not ... but I tried both, without success:
Provide token :
-----------------------------------------------
< Could not autheticate with the provided token >
-----------------------------------------------
\ ^__^
\ (oo)\________
(__)\ )\/\
||----W |
|| ||
Any tips for a self-hosted K8S cluster?
Thanks
Novice in Python and its ecosystem
pip install -r requirements.txt
Collecting colorama==0.4.4 (from -r requirements.txt (line 1))
Downloading https://files.pythonhosted.org/packages/44/98/5b86278fbbf250d239ae0ecb724f8572af1c91f4a11edf4d36a206189440/colorama-0.4.4-py2.py3-none-any.whl
Collecting colored==1.4.2 (from -r requirements.txt (line 2))
Downloading https://files.pythonhosted.org/packages/b2/16/04827e24c14266d9161bd86bad50069fea453fa006c3d2b31da39251184a/colored-1.4.2.tar.gz (56kB)
|████████████████████████████████| 61kB 4.0MB/s
Collecting figlet==0.0.1 (from -r requirements.txt (line 3))
Downloading https://files.pythonhosted.org/packages/cc/43/b0773f2deb50509b572206256069b2e0bb2babf406b39a116b1dc29e002d/figlet-0.0.1-py3-none-any.whl
Collecting progress==1.5 (from -r requirements.txt (line 4))
Downloading https://files.pythonhosted.org/packages/38/ef/2e887b3d2b248916fc2121889ce68af8a16aaddbe82f9ae6533c24ff0d2b/progress-1.5.tar.gz
Collecting prompt-toolkit==1.0.15 (from -r requirements.txt (line 5))
Downloading https://files.pythonhosted.org/packages/04/d1/c6616dd03701e7e2073f06d5c3b41b012256e42b72561f16a7bd86dd7b43/prompt_toolkit-1.0.15-py3-none-any.whl (247kB)
|████████████████████████████████| 256kB 5.8MB/s
Collecting SelectMenu (from -r requirements.txt (line 6))
Downloading https://files.pythonhosted.org/packages/cd/b9/8078a7f34c5b877e7fa26e5c5c5f62cbc765d44c949dd672a29aef62089a/SelectMenu-1.0.0b2.tar.gz
ERROR: Command errored out with exit status 1:
command: /Users/ptolani/greaterbank/infosec/kubestrike/env/bin/python3 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py'"'"'; file='"'"'/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' egg_info --egg-base pip-egg-info
cwd: /private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/
Complete output (9 lines):
Traceback (most recent call last):
File "", line 1, in
File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/setup.py", line 5, in
from selectmenu import author, version
File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/selectmenu/init.py", line 4, in
from selectmenu.core import SelectMenu
File "/private/var/folders/8r/g00ct8cd3cd2068_k9xqdgnh0000gn/T/pip-install-_x5wypri/SelectMenu/selectmenu/core.py", line 6, in
from prompt_toolkit.token import Token
ModuleNotFoundError: No module named 'prompt_toolkit'
----------------------------------------
ERROR: Command errored out with exit status 1: python setup.py egg_info Check the logs for full command output.
Is there any command line where we can run to make the kubestriker run and also can we pass the IP or URL which it want to scan
When applying the procedure described by the Install procedure, the execution of the pip install -r requirements.txt does not completes due to errors with missing figlet dependency.
Apparently figlet is not present anymore in PyPy repo....
This error is preventing me to complete the installation.
This issue has been verified on different linux runtimes with updated python3 and pip environments.
Follows transcript of failed command.
─$ pip install -r requirements.txt
Collecting colorama==0.4.4
Using cached colorama-0.4.4-py2.py3-none-any.whl (16 kB)
Collecting colored==1.4.2
Using cached colored-1.4.2.tar.gz (56 kB)
Preparing metadata (setup.py) ... done
ERROR: Could not find a version that satisfies the requirement figlet==0.0.1 (from versions: none)
ERROR: No matching distribution found for figlet==0.0.1
Choose one of the below url: (Use arrow keys)
https://kubernetes.docker.internal:6443
https://10.213.11.210
https://10.213.11.226
https://10.213.13.210
https://10.213.15.146
https://10.213.13.146
https://192.168.13.210
https://192.168.15.210
https://192.168.17.210
https://192.168.13.210
https://192.168.11.210
https://192.168.13.210
https://192.168.15.210
https://192.168.17.210
https://192.168.15.210
https://192.168.11.210
https://10.214.7.226
https://10.214.7.210
https://10.214.33.146
https://10.212.22.18
https://192.168.11.146
https://192.168.11.146
https://10.212.221.242
Looks like there are duplicates above? And also should be cluster names instead of IPs?
Hi,
Firstly, awesome project!
=
appended. Thus, token is not working. I've manually sent a curl with =
and its working.Basically this happens when you are adding a Generic k8s cluster from FE ^. Should be an easy fix.
Hi,
Could it be possible to launch a full scan with a single command, instead of running the interactive menu and chosing each option please ?
I made it myself locally but it's not very pretty. Let me know.
In the requirements.txt
file are the dependencies pinned to specific releases. This is in issue for package maintainers as distributions usually ship later releases or at least different releases.
Any change that you could soften the version constrains?
Hello!
I am trying to run an authenticated scan using the docker image v1.0.0.
It discovers ok based on the kubeconfig but when I get to the prompt that reads
Provide token :
I can't enter anything. I am trying to paste in a token. Can't type anything either.
It does say choose one of the below options (use arrow keys) but it falls right through to the prompt.
Am I doing it wrong?
Thank you
prompt toolkit is now in version 3.X branch and this project still forces installation of a older 1.X version. Unless people use venv this breaks other tools. Why stick with older version of dependecy and not move to new one.
https://python-prompt-toolkit.readthedocs.io/en/master/pages/upgrading/2.0.html
Any specific reason why sticking to older version here.
Hello @vasantchinnipilli!
I've installed the kubestriker in EKS using the yaml files as documented here: https://www.kubestriker.io/-deploying-kubestriker
I have edited the ingress resource within the web-app.yaml to have a host path so that I can have a domain name to access the UI.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubestriker-ui-ingress
namespace: kubestriker
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "GET, PUT, POST, DELETE, PATCH, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
spec:
rules:
- host: kubestriker.eks.sandbox.ap2.<company domain>
http:
paths:
- path: /
backend:
serviceName: python-svc
servicePort: 8080
I have a Route53 endpoint for *.eks.sandbox.ap2.. I have other deployments like Falco, Kiali etc which I have been accessing in the similar manner.
I have edited the API_URL environment variable in the web-app.yaml with the endpoint of the ELB and also the hostname of kubestriker.eks.sandbox.ap2. but I get the following error.
and the logs in the kubestriker-python pod is this:
[26/May/2021 23:54:11] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:54:40] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:04] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:05] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:55:06] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:56:28] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:57:59] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:00] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:01] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:03] "GET / HTTP/1.1" 404 2070
Not Found: /
[26/May/2021 23:58:05] "GET / HTTP/1.1" 404 2070
Can you please suggest on what should I be doing different?
Hi there,
I reading this documentation: https://www.kubestriker.io/-Using-Docker-compose#UsingDocker-compose
But docker-compose.yml isn't available!
Hello Vasant,
I got a fresh valid token but it fails to authenticate:
<Response [401]>
it succeeded only once and every other attempt failed. Do you know what could be the cause?
Thanks,
Dmitry
Right now, it looks like it's simply scanning 3 ports:
ports = [443, 6443, 8443]
In my case, I have the API on a random higher level IP (microk8s
default install chooses a port at random). There doesn't appear to be anyway I can have it ignore the 443 it finds (Which is simply an nginx server), and use the one I specify.
There is an issue with PyYAML 5.4 fixes CVE-2020-14343, see https://github.com/yaml/pyyaml/blob/5.4.1/CHANGES
Line 8 in 8005103
see also #14
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.