kubewire

command module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 27, 2018 License: MIT Imports: 1 Imported by: 0

README

Go Report Card Build Status

kubewire

kubewire is a Kubernetes integrity checker which acts as a tripwire for global Kubernetes resources or namespaced resources which could impact the whole cluster.

Status: Alpha, anything can change at any time

Use case

Kubernetes cluster administrators have great power. This means that a mistake they make could cause the cluster to become unhealthy or insecure and, as such, could impact any or all tenants sharing the cluster. Kubewire does not prevent mistakes but it is intended to notice modifications.

Common sources for such modifications are:

  • kubectl create on objects which define a wrong namespace
  • Wrong kubeconfig or a not defined namespace
  • Running tools which create object in different namespaces e.q. Helms Tiller is deployed to kube-system by default

Kubewire is not focused on hidden malicious acts and also does not keep any object backed up. So it's best used together with an automated deployment/configuration tool which ensures that all global objects have the state you wish. Kubewire just ensures that no additional objects are created unintentionally.

Installation

In order to get the latest version, do

go get -u github.com/postfinance/kubewire

You should hava a working Go installation.

Precompiled binaries will be provided soon for the common platforms.

Usage

By default, all non-namespaced resources will be scanned. In addition to that, the following namespaces are considered to hava a global effect, so the namespaced resources of them will also be scanned:

  • default
  • kube-system
  • kube-public

This list can be customized with the --namespaces flag.

$ kubewire snapshot > baseline.yaml

$ ./thisdoessomemagic

$ kubewire diff --baseline=baseline.yaml
Element                                                                 A                                        B
ScanStart                                                               2018-06-12 14:19:14.152560709 +0200 CEST 2018-06-14 10:22:18.083728367 +0200 CEST m=+0.028297121
ScanEnd                                                                 2018-06-12 14:19:42.870490496 +0200 CEST 2018-06-14 10:22:46.602422832 +0200 CEST m=+28.546991607
ResourceObjects." v1 namespaces  appl-shouldnotbehere"                  does not exist                           exists
ResourceObjects." v1 secrets kube-system shouldnotbehere-token-rwmcl"   does not exist                           exists
ResourceObjects." v1 serviceaccounts kube-system shouldnotbehere"       does not exist                           exists
Kubeconfig

kubewire detects if it is running in a Kubernetes cluster and uses the service account of the Pod if available. If this is not the case, it looks in the default kubectl paths for a kubeconfig. Both cases can be overriden by setting the 'kubeconfig' flag.

RBAC Rules

RBAC Rules will be provided soon

Requirements

This utility should work with any Kubernetes 1.7+ compatible cluster.

Next

  • Scan namespaced resources with global impact e.g. PodSecurityPolicy usages
  • Add example reports
  • Provide RBAC yaml
  • Review ReportDiff format and make it more usable and readable
  • Add more tests

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
access
report
retrieval

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.