marvin

command module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 29, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

README

Marvin

Test GitHub release (latest SemVer) GitHub Go Report Card

Marvin is a CLI tool designed to help Kubernetes cluster administrators ensure the security and reliability of their environments.

Using a comprehensive set of CEL (Common Expression Language) expressions, Marvin performs extensive checks on cluster resources, identifying potential issues, misconfigurations, and vulnerabilities that could pose a risk to the system. It helps ensure that your Kubernetes clusters are always in compliance with best practices and industry standards.

Marvin is also used as a plugin in Zora.

Installation

The pre-compiled binaries are available in GitHub releases page and can be installed manually or via script.

Manually

  1. Download the file for your system/architecture from the GitHub releases page
  2. Unpack the downloaded archive (e.g tar -xzf marvin_Linux_x86_64.tar.gz)
  3. Make sure the binary has execution bit turned on (chmod +x ./marvin)
  4. Move the binary somewhere in your $PATH (e.g sudo mv ./marvin /usr/local/bin/)

Install script

The process above can be automated by the following script:

curl -sSfL https://raw.githubusercontent.com/undistro/marvin/main/install.sh | sh -s -- -b $HOME/.local/bin

From source

go install github.com/undistro/marvin@latest

Usage

Built-in checks

Scan the current-context Kubernetes cluster performing the built-in checks:

marvin scan
SEVERITY   ID      CHECK                                                   STATUS   FAILED   PASSED   SKIPPED 
High       M-101   Host namespaces                                         Failed   8        7        0         
High       M-104   HostPath volume                                         Failed   8        7        0         
High       M-201   Application credentials stored in configuration files   Failed   2        25       0         
High       M-103   Insecure capabilities                                   Failed   2        13       0         
High       M-102   Privileged container                                    Failed   2        13       0         
High       M-105   Not allowed hostPort                                    Passed   0        15       0         
High       M-100   Privileged access to the Windows node                   Passed   0        15       0         
Medium     M-113   Container could be running as root user                 Failed   15       0        0         
Medium     M-109   Forbidden seccomp profile                               Passed   0        15       0         
Medium     M-108   Forbidden proc mount type                               Passed   0        15       0         
Medium     M-112   Allowed privilege escalation                            Passed   0        15       0         
Medium     M-110   Unsafe sysctls                                          Passed   0        15       0         
Medium     M-106   Forbidden AppArmor profile                              Passed   0        15       0         
Medium     M-107   Forbidden SELinux options                               Passed   0        15       0         
Medium     M-200   Image registry not allowed                              Passed   0        15       0         
Low        M-202   Automounted service account token                       Failed   15       0        0         
Low        M-116   Not allowed added/dropped capabilities                  Failed   15       0        0         
Low        M-300   Root filesystem write allowed                           Failed   11       4        0         
Low        M-115   Not allowed seccomp profile                             Failed   11       4        0         
Low        M-111   Not allowed volume type                                 Failed   8        7        0         
Low        M-203   SSH server running inside container                     Passed   0        17       0         
Low        M-114   Container running as root UID                           Passed   0        15       0         

The default output format is table which represents a summary of checks result. You can provide json or yaml in the -o/--output flag to get more details.

Run marvin scan --help to see all available options.

Custom checks

Marvin allows you to write your own checks by using CEL expressions in a YAML file like the example below.

id: CUSTOM-001
severity: Medium
message: "Replicas limit"
match:
  resources:
    - group: apps
      version: v1
      resource: deployments
validations:
  - expression: >
      object.spec.replicas <= 5
    message: "Deployment with more than 5 replicas"

If an expression evaluates to false, the check fails.

This is how built-in Marvin checks are defined as well. You can see all the built-in checks in the internal/builtins folder for examples.

Then you can provide the directory path with your custom check files in the -f/--checks flag:

marvin scan --disable-builtin --checks ./examples/
SEVERITY   ID           CHECK            STATUS   FAILED   PASSED   SKIPPED 
Medium     CUSTOM-001   Replicas limit   Passed   0        2        0         

The flag --disable-builtin disables the built-in Marvin checks.

If the check matches a PodSpec (Pod, ReplicationController, ReplicaSet, Deployment, StatefulSet, DaemonSet, Job or CronJob) the podSpec and allContainers inputs are available for expressions.

The allContainers input is a list of all containers including initContainers and ephemeralContainers.

Skipping resources

You can use annotations to skip certain checks for specific resources in your cluster. By adding the marvin.undistro.io/skip annotation to a resource, you can specify a comma-separated list of check IDs to skip.

Example:

kubectl annotate deployment nginx marvin.undistro.io/skip='auto-mount-sa-token, volume-types'

By default, Marvin will respect the marvin.undistro.io/skip annotation when performing checks. However, you can disable this behavior by using the --disable-annotation-skip flag. This flag will cause Marvin to perform all checks on all resources.

If you prefer to use a different annotation to skip checks, you can use the --skip-annotation flag to specify the annotation name. Example: --skip-annotation='my-company.com/skip-checks'

Contributing

We appreciate your contribution. Please refer to our contributing guideline for further information. This project adheres to the Contributor Covenant code of conduct.

License

Marvin is available under the Apache 2.0 license. See the LICENSE file for more info.

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
internal
pkg
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL