Comments (27)
yes that is OK, normally people should check pod under namespace, under kube-system
it will give.
The features you should maintain under -pp
from kubiscan.
Put all PSP (Pod Security Policy) related things under -pp
from kubiscan.
It can be implemented but this is a new vector. The focus of KubiScan was to scan for risky permissions and how they affect the roles, bindings, users and pods.
We can add PSP but we need to understand what we want to get from it. Risky PSPs ? Like, PSPs that if someone will use them, it will create privileged containers? In such, case we can just go and search for privileged containers directly (by inspecting each Pod\container YAML).
from kubiscan.
PSP cover lots but if we focus below ..
Pods root privileges
Host PID access
Host network access
Host port access
Host volume access
I think that will be enough coverage in addition to risky pod.
from kubiscan.
Why not just check the configuration of each pod\container and check its security context?
from kubiscan.
Check when pod going to start/launch
from kubiscan.
I added an option to check the security context of pods and search for pods with security context of privileged
, root user, dangerous capabilities and if the flag allow privilege escalation is set.
from kubiscan.
How to use?
Same risky pod (-rp) switch will give result along with ?
from kubiscan.
-pp
from kubiscan.
Its working fine but its not capturing hostnetwork.
If I mention pod defination hostNetwork: true
or hostPort
then its not capturing.
Basically usage of the hostPort is considered a privileged operation on OpenShift.
My target is it should capture below all
Host PID access
Host network access
Host port access
Host volume access
trying to make this tool compatible with all kubernetes flavor in including openshift.
from kubiscan.
I can see the Host PID and Host network fields in the PodSpec:
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#podspec-v1-core
Where the Host port should be find?
Regarding the volume access I will check it but maybe I have something that already does it l, this is the -psv
switch that shows all the mounted volumes to the pods.
We also have the -pse
that shows all the environment variables mounted to the pods.
from kubiscan.
hostport
as use as follows ...
If hostPort
setting applies to the Kubernetes containers. The container port will be exposed to the external network at :, where the hostIP is the IP address of the Kubernetes node where the container is running and the hostPort is the port requested by the user.
The hostPort feature allows to expose a single container port on the host IP. Using the hostPort to expose an application to the outside of the Kubernetes cluster and it has the some drawbacks, two containers using the same hostPort cannot be scheduled on the same node.
psv
Show Pods that has access to the secret data through a Volume
and
pse
Show Pods that has access to the secret data through a Environment.
I do not think it does any Host volume access
from kubiscan.
Regarding the hostPort
, I don't understand why it is being considered as a privileged operation on OpenShift.
When we are talking about privileged containers, the idea is that if an attacker is inside the container, he has root privileged, high capabilities, break out to the host or control other containers.
An exposed port, just shows that exposed port of the container on the master. It doesn't mean you can do something interesting with this if I compare it to the other operations I mentioned.
from kubiscan.
It's a security whole, if somehow anyone use hostport in pod then that port is locked in that host where that container deployed.
Nobody can use that port and attacker can try to access cluster using hostport.
from kubiscan.
In PSP (Pod Security Policy) below link I think you capturing only "privileged" field.
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy
If you consider following field also then it will be more effective regarding privileged/risky pod
from kubiscan.
Yes, it sounds like a good suggestion.
I will check it and update.
from kubiscan.
Any update?
from kubiscan.
Added support to hostPID
and hostIPC
.
Regarding readOnlyRootFilesystem
I saw that the default is false
which indicates that you can write to the root filesystem.
As this is the default, it will make lots of "noise" because most of the pods will have this field set to false, don't you think ? We will get probably all the pods appeared as "privileged".
from kubiscan.
if someone use readOnlyRootFilesystem
true
then kubiscan should catch.
from kubiscan.
I did some tests with:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: alpine
spec:
containers:
- name: alpine
image: alpine
command: ["sleep 99d"]
ports:
- containerPort: 6666
hostPort: 6666
hostNetwork: true
hostIPC: true
hostPID: true
EOF
The hostNetwork
field show more containers:
I guess I just need to check the allowedHostPath
, I need to decide to what feature to add it (-psv
or -pp
).
from kubiscan.
I checked but what I noticed earlier -pp
works with -n <namespace>
Now its show privileged pod under all namespace.
from kubiscan.
It now prints also the host paths which make it more "noisy":
Regarding the namespaces, if you not specify a namespace it will print for all the namespaces. Other option is to make that if you not specify a namespace it will print for the "default" namespace. But I think it is fine like that (prints for all the namespaces as default).
You can use namespaces, for example: kubiscan -pp -ns default
:
from kubiscan.
Notice to use -ns
instead of -n
.
I created -ns
for --namespaces
because the -n
was taken for --name
.
from kubiscan.
It was my typo. But I always use -ns.
Tomorrow I will check & update you.
from kubiscan.
No twitter or linkedin?
from kubiscan.
OK, so contact me: Eviatar Gerzi
from kubiscan.
closing
from kubiscan.
Related Issues (20)
- Support running on MacOS HOT 3
- Is this a fork or the original kubiscan? HOT 1
- ConnectionRefusedError: [Errno 61] Connection refused HOT 1
- Linux Package of the tool (FR) HOT 1
- Static Scan HOT 2
- Add "nodes/proxy" as a risky permission HOT 4
- 'docker_run.sh' script returning permission denied error when trying to copy into the container HOT 1
- Provide more info how run `KubiScan`on EKS cluster HOT 2
- Duplicated service account name in -rp command HOT 1
- Privacy Declaration? HOT 2
- Dependecy issue in the Dockerfile in pip requirements. Can't build the docker image. HOT 4
- Support for kubeconfig credentials directly in kubeconfig file HOT 1
- Issue in /KubiScan/engine/jwt_token.py HOT 16
- Enhancements for output HOT 2
- Failed chmod when not specifying AWS info HOT 1
- setup file HOT 3
- cannot run KubiScan HOT 2
- anonymous permissions HOT 5
- JSON output failure HOT 2
- "patch" workloads not considered risky?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubiscan.