def service_discovery_results_status(self):
print('\n', file=self.file_obj)
print(
"KubeServer Secure Identified Services ........................................",
file=self.file_obj)
service_discovery_status = self.service_discovery_status
for status in service_discovery_status:
service_open(status, self.file_obj)
print('\n', file=self.file_obj)
print_msg_box(
'######## Below mentioned are the valid urls of the identified Endpoints ########',
file_obj=self.file_obj)
for service, status in self.result.items():
if status.get('active') == True:
end_point = status.get('end_point')
print(" --> {service} identified {end_point}".format(
service=service, end_point=end_point),
file=self.file_obj)
def apiserver_insecure(self, data):
print("\nGearing up for Api Server Insecure Scan....................................", file=self.file_obj)
namespacelist = []
token = ''
result_data = {}
end_point = data.get('apiserver_insecure').get('end_point')
end_point_url = "http://" + end_point
rbackv1 = RbacAuthorizationV1Api(end_point_url, result_data, namespacelist, token)
roles_data = rbackv1.roles_data
roles_bindings_data = rbackv1.roles_bindings_data
clusterroles_data = rbackv1.clusterroles_data
clusterrolebindings_data = rbackv1.clusterrolebindings_data
corev1 = CoreV1Api(end_point_url, result_data, namespacelist, token)
pods_data = corev1.pods_data
nodes_data = corev1.nodes_data
self.result.update(pods_data)
appsv1 = AppsV1Api(end_point_url, result_data, namespacelist, token)
# deployments_data = appsv1.deployments_data
policyv1 = PolicyV1beta1Api(end_point_url, result_data, namespacelist, token)
psp_data = policyv1.podsecuritypolicies_data
self.misconfigurations(roles_data, roles_bindings_data, clusterroles_data, clusterrolebindings_data,
namespacelist)
self.misconfigured_containers(pods_data, namespacelist)
self.grab_nodes_data(nodes_data, namespacelist)
if psp_data:
self.pod_security_polocies(psp_data, roles_data, roles_bindings_data, clusterroles_data,
clusterrolebindings_data, namespacelist)
networking = ExtensionsV1beta1Api(end_point_url, result_data, namespacelist, token)
network_policies_data = networking.list_network_policy_for_all_namespaces()
ingress_list, egress_list = self.network_policies_data_parsing(network_policies_data, namespacelist)
if ingress_list:
resource_available("Wide Open Ingress policies")
print_msg_box('######## Wide Open Ingress Policies ########', file_obj=self.file_obj)
for ingrs_container in list(set(ingress_list)):
print(ingrs_container, file=self.file_obj)
if egress_list:
resource_available("Wide open Egress policies")
print_msg_box('######## Wide Open Eggress Policies ########', file_obj=self.file_obj)
for egrs_container in list(set(egress_list)):
print(egrs_container, file=self.file_obj)
def grab_nodes_data(self, nodes_total_data, namespacelist):
nodes_list = []
if nodes_total_data:
nodes_data = nodes_total_data.get('core')
if nodes_data:
items_data = nodes_data.get('items')
for items in items_data:
name = items.get('metadata', {}).get('name')
if name and name not in nodes_list:
nodes_list.append(name)
else:
for namespace in namespacelist:
nodes_data = nodes_total_data.get(namespace)
if nodes_data:
items_data = nodes_data.get('items')
for items in items_data:
name = items.get('metadata', {}).get('name')
if name and name not in nodes_list:
nodes_list.append(name)
if nodes_list:
print_msg_box('######## below are the nodes ########', file_obj=self.file_obj)
for node in list(set(nodes_list)):
print(node, file=self.file_obj)
def validate_admin_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
avoid repetition
Insert gap after each role
'''
print_msg_box("######## Admin roles ######## ", file_obj=self.file_obj)
admin_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
#role_kind = roles_data.get('kind')
if not roles_data.get('rules'):
continue
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if '*' in rule['resources'] and '*' in rule['verbs']:
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
admin_role = True
self.result.update({'admin_role': admin_role})
return
else:
self.result.update({'admin_role': admin_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
print(role_name + " is an admin role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, roles_bindings_json)
if role_kind.lower() == 'clusterrolelist':
print(role_name + " is a cluster admin role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, cluster_bindings_json)
role_users.append(role_name)
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
if namespace:
print(
"{kind} {name} has Admin Privileges in namespace {namespace}"
.format(kind=kind,
name=name,
namespace=namespace),
file=self.file_obj)
else:
print(
"{kind} {name} has Admin Privileges in Cluster"
.format(kind=kind, name=name),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('Admin Roles')
def validate_privileged_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
'''
print_msg_box('######## Privileged roles ########',
file_obj=self.file_obj)
privileged_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
verbs_sign = ['*', 'create', 'update', 'patch']
resource_sign = [
'secrets', 'pods', 'deployments', 'daemonsets', 'statefulsets',
'replicationcontrollers', 'replicasets', 'cronjobs', 'jobs',
'roles', 'clusterroles', 'rolebindings', 'clusterrolebindings',
'users', 'groups', 'nodes', 'pods/exec', 'pods/attach',
'pods/portforward', 'serviceaccounts'
]
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
#role_kind = roles_data.get('kind')
if not roles_data.get('rules'):
continue
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if any([
sign for sign in resource_sign
if sign in rule['resources']
]) and any(
[sign
for sign in verbs_sign if sign in rule['verbs']]):
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
privileged_role = True
self.result.update(
{'privileged_role': privileged_role})
return
else:
self.result.update(
{'privileged_role': privileged_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
print(role_name + " is a privileged role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, roles_bindings_json)
if role_kind.lower() == 'clusterrolelist':
print(role_name + " is a privileged cluster role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, cluster_bindings_json)
role_users.append(role_name)
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
if namespace:
print(
"{role_name} is attached to {kind} {name}"
.format(role_name=role_name,
kind=kind,
name=name),
file=self.file_obj)
print(
"{kind} {name} has High Privileges in namespace {namespace}"
.format(kind=kind,
name=name,
namespace=namespace),
file=self.file_obj)
else:
print(
"{role_name} is attached to {kind} {name}"
.format(role_name=role_name,
kind=kind,
name=name),
file=self.file_obj)
print(
"{kind} {name} has High Privileges in cluster"
.format(kind=kind, name=name),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('Privileged roles')
def validate_psp_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
Insert Gap as discsussed
'''
print_msg_box('######## PSP attached roles ########',
file_obj=self.file_obj)
psp_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
verbs_sign = ["use"]
resource_sign = ['podsecuritypolicies']
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
if not roles_data.get('rules'):
continue
#role_kind = roles_data.get('kind')
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if verbs_sign == rule['verbs'] and resource_sign == rule[
'resources']:
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
psp_role = True
self.result.update({'psp_role': psp_role})
return
else:
self.result.update({'psp_role': psp_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
for resourceNames in rule[
'resourceNames']: # added
print(
"Role " + role_name +
" can {verb} podsecuritypolicy {resourceNames}"
.format(verb=rule['verbs'][0],
resourceNames=resourceNames),
file=self.file_obj)
binding_json = roles_bindings_json
if role_kind.lower() == 'clusterrolelist':
for resourceNames in rule[
'resourceNames']: # added
print(
"ClusterRole " + role_name +
" can {verb} podsecuritypolicy {resourceNames}"
.format(verb=rule['verbs'][0],
resourceNames=resourceNames),
file=self.file_obj)
binding_json = cluster_bindings_json
role_users.append(role_name)
binding_metadata_name = ''
for entity in binding_json['items']:
if entity['roleRef']['name'] == role_name:
role_ref = entity.get('roleRef', [])
subjects = entity.get('subjects', [])
binding_metadata_name = entity.get(
'metadata', {}).get('name')
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
if namespace: # changesdone
print(
"RoleBinding {role_name} attaches podSecurityPolicy {resourceNames} to {kind} {subject_name} in the namespace {namespace}"
.format(
role_name=role_name,
binding_metadata_name=
binding_metadata_name,
kind=kind,
subject_name=name,
namespace=namespace,
resourceNames=rule['resourceNames']
[0]),
file=self.file_obj)
else:
print(
"ClusterRoleBinding {role_name} attaches podSecurityPolicy {resourceNames} to {kind} {subject_name} across Cluster "
.format(
role_name=role_name,
binding_metadata_name=
binding_metadata_name,
subject_name=name,
resourceNames=rule['resourceNames']
[0],
kind=kind),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('PSP attached roles')
def validate_impersonate_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
'''
print_msg_box('######## Impersonate Privileged roles ########',
file_obj=self.file_obj)
impersonate_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
if not roles_data.get('rules'):
continue
#role_kind = roles_data.get('kind')
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if 'impersonate' in rule['verbs']:
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
impersonate_role = True
self.result.update(
{'impersonate_role': impersonate_role})
return
else:
self.result.update(
{'secrets_role': impersonate_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
print(role_name + " is an impersonate role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, roles_bindings_json)
if role_kind.lower() == 'clusterrolelist':
print(role_name + " is an impersonate cluster",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, cluster_bindings_json)
resourcenames = rule.get('resourceNames', [])
role_users.append(role_name)
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
for resource in rule['resources']:
for resourcename in resourcenames:
if namespace:
print(
"{kind} {name} has Privileges to impersonate {resources} in namespace {namespace} as {resourcenames}"
.format(
kind=kind,
name=name,
resources=resource,
namespace=namespace,
resourcenames=resourcename
),
file=self.file_obj)
else:
print(
"{kind} {name} has Privileges to impersonate {resources} across Cluster as {resourcenames}"
.format(
kind=kind,
resources=resource,
name=name,
resourcenames=resourcename
),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('Impersonate roles')
def validate_secrets_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
Insert Gap as Discussed
'''
print_msg_box('######## Secret Privileged roles ########',
file_obj=self.file_obj)
secrets_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
verbs_sign = ['*', 'get', 'list', 'create', 'update']
resource_sign = ['secrets']
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
if not roles_data.get('rules'):
continue
#role_kind = roles_data.get('kind')
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if any([
sign for sign in resource_sign
if sign in rule['resources']
]) and any(
[sign
for sign in verbs_sign if sign in rule['verbs']]):
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
secrets_role = True
self.result.update(
{'secrets_role': secrets_role})
return
else:
self.result.update(
{'secrets_role': secrets_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
print(role_name + " role can Play with secrets",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, roles_bindings_json)
if role_kind.lower() == 'clusterrolelist':
print(role_name +
" clusterrole can Play with secrets",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, cluster_bindings_json)
role_users.append(role_name)
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
for verb in rule['verbs']:
if namespace:
print(
"{kind} {name} has Privileges to {verb} secrets in namespace {namespace}"
.format(kind=kind,
name=name,
verb=verb,
namespace=namespace),
file=self.file_obj)
else:
print(
"{kind} {name} has Privileges to {verb} in Cluster"
.format(kind=kind,
verb=verb,
name=name),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('Secrets roles')
def validate_read_admin_role(self,
roles_json,
roles_bindings_json,
clusterroles_json,
cluster_bindings_json,
user_name=None):
'''
'''
#print("######## Read only admin roles ######## ",file=self.file_obj)
print_msg_box('######## Read only admin roles ########',
file_obj=self.file_obj)
read_admin_role = False
role_users = []
roles_check_json = [roles_json, clusterroles_json]
verbs_sign = ['get', 'list']
resource_sign = ['*']
for roles_json in roles_check_json:
role_kind = roles_json.get('kind')
for roles_data in roles_json['items']:
#role_kind = roles_data.get('kind')
if not roles_data.get('rules'):
continue
for rule in roles_data['rules']:
if not rule.get('verbs', None):
continue
if not rule.get('resources', None):
continue
if any([
sign for sign in resource_sign
if sign in rule['resources']
]) and any(
[sign
for sign in verbs_sign if sign in rule['verbs']]):
role_name = roles_data['metadata']['name']
if user_name:
if user_name == role_name:
read_admin_role = True
self.result.update(
{'read_admin_role': read_admin_role})
return
else:
self.result.update(
{'read_admin_role': read_admin_role})
continue
if role_name in role_users:
continue
if role_kind.lower() == 'rolelist':
print(role_name + " is an admin read role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, roles_bindings_json)
if role_kind.lower() == 'clusterrolelist':
print(role_name + " is a clusteradmin read role",
file=self.file_obj)
role_ref, subjects = self.binds_search(
role_name, cluster_bindings_json)
role_users.append(role_name)
if role_ref:
for subject in subjects:
kind = subject.get('kind')
name = subject.get('name')
namespace = subject.get('namespace')
if namespace:
print(
"{kind} {name} has Read Admin Privileges in namespace {namespace}"
.format(kind=kind,
name=name,
namespace=namespace),
file=self.file_obj)
else:
print(
"{kind} {name} has Read Admin Privileges in Cluster"
.format(kind=kind, name=name),
file=self.file_obj)
print(file=self.file_obj)
if role_users:
self.validation_status.append('Read Only Admin roles')
def pod_security_polocies(self, psp_data, roles_data, roles_bindings_data, clusterroles_data,
clusterrolebindings_data, namespacelist):
psp_privilized = None
print("\n[+] Validating Pod Security Policies..................................", file=self.file_obj)
psp = PspRole()
if psp_data.get('policy') is not None:
psp_privilized, psp_restricted = psp.validate_psp_rule(psp_data.get('policy'))
if (roles_data.get('rbac') and roles_bindings_data.get('rbac') and clusterroles_data.get(
'rbac') and clusterrolebindings_data.get('rbac')) is not None:
psp_roles_data = psp.validate_psp_role(roles_data['rbac'], roles_bindings_data['rbac'],
clusterroles_data['rbac'],
clusterrolebindings_data['rbac'])
psp.psp_update_data(psp_privilized, psp_restricted, psp_roles_data)
print(stylize("\n[+] Identified Misconfigured Pod Security Policies ...........................\n",
fg("green_1")))
if psp_privilized:
resource_available("Privilized Pod Security Policies", self.file_obj)
if psp_restricted:
resource_available("Restricted Pod Security Policies", self.file_obj)
else:
for namespace in namespacelist:
psp_privilized, psp_restricted = psp.validate_psp_rule(psp_data.get(namespace))
if (roles_data.get(namespace) and roles_bindings_data.get(namespace) and clusterroles_data.get(
namespace) and clusterrolebindings_data.get(namespace)) is not None:
psp_roles_data = psp.validate_psp_role(roles_data[namespace], roles_bindings_data[namespace],
clusterroles_data[namespace],
clusterrolebindings_data[namespace])
psp.psp_update_data(psp_privilized, psp_restricted, psp_roles_data)
print(
stylize("\n[+] Identified Misconfigured Pod Security Policies ...........................\n",
fg("green_1")))
print("\n[+] Identified Misconfigured Pod Security Policies ...........................\n",
file=self.file_obj)
if psp_privilized:
resource_available(namespace + " Privilized Pod Security Policies", self.file_obj)
if psp_restricted:
resource_available(namespace + " Restricted Pod Security Policies", self.file_obj)
print_msg_box('######## Privilized PSPs ########', file_obj=self.file_obj)
if psp_privilized:
psp_container_list = []
for psp_container, psp_data in psp_privilized.items():
match_signs = psp_data.get('matched_signs')
ser_acn_details = psp_data.get('service_acount')
if ser_acn_details is None:
if not psp_container in psp_container_list:
print("{psp_container} has privilized rules {match_signs}".format(psp_container=psp_container,
match_signs=str(match_signs)),
file=self.file_obj)
psp_container_list.append(psp_container)
print(file=self.file_obj)
psp_container_list = []
for psp_container, psp_data in psp_privilized.items():
match_signs = psp_data.get('matched_signs')
ser_acn_details = psp_data.get('service_acount')
if ser_acn_details:
kind = ser_acn_details.get('kind')
name = ser_acn_details.get('name')
if not psp_container in psp_container_list:
print(
"{psp_container} lets {kind} {name} use {match_signs}".format(psp_container=psp_container,
kind=kind, name=name,
match_signs=str(match_signs)),
file=self.file_obj)
psp_container_list.append(psp_container)
def apiserver_secure(self, data, token=None, choice=None, user_name=None):
namespacelist = []
if token:
try:
token = token.strip()
decoded_data = yaml.safe_load(decode_jwt_token_data(token))
# print(decoded_data)
namespace = decoded_data.get('kubernetes.io/serviceaccount/namespace')
# print(namespace)
namespacelist = ['default', 'kube-node-lease', 'kube-public', 'kube-system']
namespacelist.append(namespace)
except Exception:
pass
else:
token = ''
result_data = {}
print("\nGearing up for Api Server Secure Scan................................", file=self.file_obj)
end_point = data.get('apiserver_secure').get('end_point')
end_point_url = "https://" + end_point
# appsv1 = AppsV1Api(end_point_url, result_data, namespacelist, token)
# deployments_data = appsv1.deployments_data
policyv1 = PolicyV1beta1Api(end_point_url, result_data, namespacelist, token)
psp_data = policyv1.podsecuritypolicies_data
if choice == 'Scan IAM misconfigurations':
rbackv1 = RbacAuthorizationV1Api(end_point_url, result_data, namespacelist, token)
roles_data = rbackv1.roles_data
roles_bindings_data = rbackv1.roles_bindings_data
clusterroles_data = rbackv1.clusterroles_data
clusterrolebindings_data = rbackv1.clusterrolebindings_data
self.misconfigurations(roles_data, roles_bindings_data, clusterroles_data, clusterrolebindings_data,
namespacelist, user_name)
elif choice == 'Scan misconfigured containers':
corev1 = CoreV1Api(end_point_url, result_data, namespacelist, token)
pods_data = corev1.pods_data
nodes_data = corev1.nodes_data
self.result.update(pods_data)
self.misconfigured_containers(pods_data, namespacelist)
self.grab_nodes_data(nodes_data, namespacelist)
elif choice == 'Scan misconfigured podsecuritypolicies':
if psp_data:
rbackv1 = RbacAuthorizationV1Api(end_point_url, result_data, namespacelist, token)
roles_data = rbackv1.roles_data
roles_bindings_data = rbackv1.roles_bindings_data
clusterroles_data = rbackv1.clusterroles_data
clusterrolebindings_data = rbackv1.clusterrolebindings_data
self.pod_security_polocies(psp_data, roles_data, roles_bindings_data, clusterroles_data,
clusterrolebindings_data, namespacelist)
elif choice == 'Scan misconfigured network policies':
networking = ExtensionsV1beta1Api(end_point_url, result_data, namespacelist, token)
network_policies_data = networking.list_network_policy_for_all_namespaces()
ingress_list, egress_list = self.network_policies_data_parsing(network_policies_data, namespacelist)
if ingress_list:
resource_available("Wide Open Ingress policies")
print_msg_box('######## Wide Open Ingress Policies ########', file_obj=self.file_obj)
for ingrs_container in list(set(ingress_list)):
print(ingrs_container, file=self.file_obj)
if egress_list:
resource_available("Wide Open Egress policies")
print_msg_box('######## Wide Open Egress Policies ########', file_obj=self.file_obj)
for egrs_container in list(set(egress_list)):
print(egrs_container, file=self.file_obj)
else:
rbackv1 = RbacAuthorizationV1Api(end_point_url, result_data, namespacelist, token)
roles_data = rbackv1.roles_data
roles_bindings_data = rbackv1.roles_bindings_data
clusterroles_data = rbackv1.clusterroles_data
clusterrolebindings_data = rbackv1.clusterrolebindings_data
corev1 = CoreV1Api(end_point_url, result_data, namespacelist, token)
pods_data = corev1.pods_data
nodes_data = corev1.nodes_data
self.result.update(pods_data)
self.misconfigurations(roles_data, roles_bindings_data, clusterroles_data, clusterrolebindings_data,
namespacelist)
self.misconfigured_containers(pods_data, namespacelist)
self.grab_nodes_data(nodes_data, namespacelist)
if psp_data:
self.pod_security_polocies(psp_data, roles_data, roles_bindings_data, clusterroles_data,
clusterrolebindings_data, namespacelist)
networking = ExtensionsV1beta1Api(end_point_url, result_data, namespacelist, token)
network_policies_data = networking.list_network_policy_for_all_namespaces()
ingress_list, egress_list = self.network_policies_data_parsing(network_policies_data, namespacelist)
if ingress_list:
resource_available("Wide Open Ingress policies")
print_msg_box('######## Wide Open Ingress Policies ########', file_obj=self.file_obj)
for ingrs_container in list(set(ingress_list)):
print(ingrs_container, file=self.file_obj)
if egress_list:
resource_available("Wide Open Egress policies")
print_msg_box('######## Wide Open Egress Policies ########', file_obj=self.file_obj)
for egrs_container in list(set(egress_list)):
print(egrs_container, file=self.file_obj)
def misconfigured_containers(self, pods_data, namespacelist):
print(stylize("\n[+] Scanning for Misonfigured containers ......................................\n",
fg("green_1")))
print("\nScanning for Misonfigured containers ......................................", file=self.file_obj)
pod_deploy_data_list = [pods_data] # , deployments_data]
for pvl_validate_data in pod_deploy_data_list:
if pvl_validate_data:
pvl_containers = []
cpu = []
memory = []
livenessprobe = []
readnessprobe = []
priorityclassname_in = []
service_account_in = []
mounted_in = []
docker_sock_containers = []
if pvl_validate_data.get('core') is not None:
pvl_validate_data = pvl_validate_data['core']
elif pvl_validate_data.get('apps') is not None:
pvl_validate_data = pvl_validate_data['apps']
else:
pvl_validate_data = {}
if len(pvl_validate_data) != 0:
for pod_data in pvl_validate_data['items']:
containers_list, match_signs = PvlContainers().containers_check(pod_data)
pvl_containers.append({'match_signs': match_signs, 'pvl_container': containers_list})
# print('privileged containers', str(containers_list))
PvlContainers().container_metrics(pod_data, cpu, memory, livenessprobe, readnessprobe,
priorityclassname_in, service_account_in, mounted_in,
docker_sock_containers)
else:
for namespace in namespacelist:
if namespace in pods_data:
pods_data = pods_data[namespace]
for pod_data in pods_data['items']:
containers_list, match_signs = PvlContainers().containers_check(pod_data)
pvl_containers.append({'match_signs': match_signs, 'pvl_container': containers_list})
# print('privileged containers', str(containers_list))
PvlContainers().container_metrics(pod_data, cpu, memory, livenessprobe, readnessprobe,
priorityclassname_in, service_account_in, mounted_in,
docker_sock_containers)
scan_status(" [+] Scanning for Privileged Containers .................................")
scan_status(" [+] Scanning for livenessProbe .........................................")
scan_status(" [+] Scanning for readinessProbe ........................................")
scan_status(" [+] Scanning for CPU Limit .............................................")
scan_status(" [+] Scanning for Memory Limit ..........................................")
scan_status(" [+] Scanning for Priorityclassname .....................................")
scan_status(" [+] Scanning for ServiceAccount Mount ..................................")
scan_status(" [+] Scanning for Secrets Mounted .......................................")
scan_status(" [+] Scanning for docker Socket Mount ...................................")
print(" [+] Scanning for Privileged Containers .................................",
file=self.file_obj)
print(" [+] Scanning for livenessProbe .........................................",
file=self.file_obj)
print(" [+] Scanning for readinessProbe ........................................",
file=self.file_obj)
print(" [+] Scanning for CPU Limit .............................................",
file=self.file_obj)
print(" [+] Scanning for Memory Limit ..........................................",
file=self.file_obj)
print(" [+] Scanning for Priorityclassname .....................................",
file=self.file_obj)
print(" [+] Scanning for ServiceAccount Mount ..................................",
file=self.file_obj)
print(" [+] Scanning for Secrets Mounted .......................................",
file=self.file_obj)
print(" [+] Scanning for docker Socket Mount .................................\n",
file=self.file_obj)
print_msg_box('######## Privileged containers ########', file_obj=self.file_obj)
pvlc_list = []
for pvlc_data in pvl_containers:
pvl_container = pvlc_data.get('pvl_container')
if pvl_container:
match_sighns = pvlc_data.get('match_signs')
for pvlc in pvl_container:
if not pvlc in pvlc_list:
print("{pvlc} is configured with {match_sighns}".format(pvlc=pvlc,
match_sighns=str(match_sighns)),
file=self.file_obj)
pvlc_list.append(pvlc)
print_msg_box('######## livenessprobe not set in below containers ########', file_obj=self.file_obj)
for liveness_container in list(set(livenessprobe)):
print(liveness_container, file=self.file_obj)
print_msg_box('######## readinessprobe not set in below containers ########', file_obj=self.file_obj)
for readiness_container in list(set(readnessprobe)):
print(readiness_container, file=self.file_obj)
print_msg_box('######## CPU Limit not set below containers ########', file_obj=self.file_obj)
for cpu_container in list(set(cpu)):
print(cpu_container, file=self.file_obj)
print_msg_box('######## Memory Limit not set in below containers ########', file_obj=self.file_obj)
for memory_container in list(set(memory)):
print(memory_container, file=self.file_obj)
print_msg_box('######## Priorityclassname not set in below containers ########', file_obj=self.file_obj)
for pcl_container in list(set(priorityclassname_in)):
print(pcl_container, file=self.file_obj)
print_msg_box('######## Service account mounted in below containers ########', file_obj=self.file_obj)
for sac_container in list(set(service_account_in)):
print(sac_container, file=self.file_obj)
print_msg_box('######## Secret mounted in below containers ########', file_obj=self.file_obj)
for mounted in list(set(mounted_in)):
print(mounted, file=self.file_obj)
print_msg_box('######## Docker Socket mounted in below containers ########', file_obj=self.file_obj)
for docker_socket in list(set(docker_sock_containers)):
print(docker_socket, file=self.file_obj)
print(stylize("\n[+] Identified Misonfigured containers ........................................\n",
fg("green_1")))
print("[+] Identified Misonfigured containers ........................................",
file=self.file_obj)
if pvl_containers:
resource_available("Containers with High Privileges", self.file_obj)
if livenessprobe:
resource_available("Containers with missing liveness Probe", self.file_obj)
if readnessprobe:
resource_available("Containers with missing readiness Probe", self.file_obj)
if cpu:
resource_available("Containers with missing CPU Limit", self.file_obj)
if memory:
resource_available("Containers with missing Memory Limit", self.file_obj)
if priorityclassname_in:
resource_available("Containers with missing Priorityclassname", self.file_obj)
if service_account_in:
resource_available("Containers with ServiceAccount Mounted", self.file_obj)
if mounted_in:
resource_available("Conatiners with Secrets Mounted", self.file_obj)
if docker_sock_containers:
resource_available("Containers with Docker socket Mount", self.file_obj)
else:
print("\nPod or deployment data not available", file=self.file_obj)