vchinnipilli / Kubestriker
Licence: apache-2.0
A Blazing fast Security Auditing tool for Kubernetes
Stars: ✭ 213
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Kubestriker
Docker Swarm
🐳🐳🐳 This repository is part of a blog series on Docker Swarm example using VirtualBox, OVH Openstack, Azure and Amazon Web Services AWS
Stars: ✭ 43 (-79.81%)
Mutual labels: automation, aws, azure, devops
Electriceye
Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability. All results will be sent to Security Hub for further aggregation and analysis.
Stars: ✭ 255 (+19.72%)
Mutual labels: automation, aws, security-tools, security-audit
Learn Devops
🚧 Learn the craft of "DevOps" (Developer Operations) to Deploy your App and Monitor it so it stays "Up"!
Stars: ✭ 139 (-34.74%)
Mutual labels: automation, aws, azure, devops
Devops Exercises
Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions
Stars: ✭ 20,905 (+9714.55%)
Mutual labels: aws, azure, devops, containers
Mist Ce
Mist is an open source, multi-cloud management platform
Stars: ✭ 1,391 (+553.05%)
Mutual labels: aws, devops, containers
Cloudsploit
Cloud Security Posture Management (CSPM)
Stars: ✭ 1,338 (+528.17%)
Mutual labels: aws, azure, security-audit
Terrascan
Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
Stars: ✭ 2,687 (+1161.5%)
Mutual labels: aws, devops, security-tools
Ladder
A general purpose extensible autoscaler for the cloud
Stars: ✭ 143 (-32.86%)
Mutual labels: automation, aws, containers
Devops Resources
DevOps resources - Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP
Stars: ✭ 1,194 (+460.56%)
Mutual labels: aws, devops, containers
Terraform
Terraform automation for Cloud
Stars: ✭ 121 (-43.19%)
Mutual labels: automation, aws, devops
Terrahub
Terraform Automation and Orchestration Tool (Open Source)
Stars: ✭ 148 (-30.52%)
Mutual labels: automation, devops, containers
Aws Securitygroup Grapher
This ansible role gets information from an AWS VPC and generate a graphical representation of security groups
Stars: ✭ 93 (-56.34%)
Mutual labels: aws, security-tools, security-audit
Aws Automation
AWS automation scripts and lambda functions
Stars: ✭ 81 (-61.97%)
Mutual labels: automation, aws, devops
Dockle
Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
Stars: ✭ 1,713 (+704.23%)
Mutual labels: security-tools, security-audit, containers
Crithit
Takes a single wordlist item and tests it one by one over a large collection of websites before moving onto the next. Create signatures to cross-check vulnerabilities over multiple hosts.
Stars: ✭ 182 (-14.55%)
Mutual labels: security-tools, infosec, security-audit
Kitten
Tiny multi-server automation tool
Stars: ✭ 171 (-19.72%)
Mutual labels: automation, aws, devops
Mcw Cloud Native Applications
MCW Cloud-native applications
Stars: ✭ 184 (-13.62%)
Mutual labels: azure, devops, containers
Checkov
Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew.
Stars: ✭ 3,572 (+1577%)
Mutual labels: aws, azure, devops
Lynis
Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
Stars: ✭ 9,137 (+4189.67%)
Mutual labels: devops, security-tools, security-audit
A Blazing fast Security Auditing tool for kubernetes!!
Basic Overview
Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.
kubestriker is Platform agnostic and works equally well across more than one platform such as self hosted kubernetes, Amazon EKS, Azure AKS, Google GKE etc.
Table of content
- How To Install
- Types of Scans
- Current Capabilities
- Future improvements
- Suggestions
- Contributors
- Statistics
- License
- Support
- Find me here!!
How To Install
Clone the repo and install
To install this tool or clone and run this application, you'll need Git, python3 and pip installed on your computer. It is advised you install this tool in virtual environment
From your command line:
# Create python virtual environment
$ python3 -m venv env
# Activate python virtual environment
$ source env/bin/activate
# Clone this repository
$ git clone https://github.com/vchinnipilli/kubestriker.git
# Go into the repository
$ cd kubestriker
# Install dependencies
$ pip install -r requirements.txt
# Incase of prompt toolkit or selectmenu errors
$ pip install prompt-toolkit==1.0.15
$ pip install -r requirements.txt
# Gearing up Kubestriker
$ python -m kubestriker
# Result will be generated in the current working directory with the name of the target
Install using pip
To install and run this application, you'll need pip installed on your computer. From your command line:
# Create python virtual environment
$ python3 -m venv env
# Activate python virtual environment
$ source env/bin/activate
# Install using pip
$ pip install kubestriker
# Incase of prompt toolkit or selectmenu errors
$ pip install prompt-toolkit==1.0.15
$ pip install kubestriker
# Gearing up Kubestriker
$ python -m kubestriker
# Result will be generated in the current working directory with the name of the target
How to spin up kubestriker container
Use this link to view the Kubestriker container latest releases
# Spinning up the kubestriker Container
$ docker run -it --rm -v /Users/vasantchinnipilli/.kube/config:/root/.kube/config -v "$(pwd)":/kubestriker --name kubestriker cloudsecguy/kubestriker:v1.0.0
# Replace the user vasantchinnipilli above with your username or absolute path of kube config file
$ docker run -it --rm -v /Users/<yourusername>/.kube/config:/root/.kube/config -v "$(pwd)":/kubestriker --name kubestriker cloudsecguy/kubestriker:v1.0.0
# Gearing up Kubestriker
$ python -m kubestriker
# Result will be generated in the current working directory with the name of the target
Types of Scans
Authenticated scans
Authenticated scan expects the user to have atleast read-only privileges and provide a token during the scan. please use the below provided links to create read-only users
Create read-only user for Amazon eks
Create read-only user for Azure aks
Create read-only user for Google gke
Create a subject using Role based access control
# To grab a token from eks cluster
$ aws eks get-token --cluster-name cluster-name --region ap-southeast-2
# To grab a token from aks cluster
$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
# To grab a token from gke cluster
$ gcloud container clusters get-credentials CLUSTER_NAME --zone=COMPUTE_ZONE
# To grab a token from service account
$ kubectl -n namespace get secret serviceaccount-token -o jsonpath='{.data.token}'
# To grab a token from a pod directly or via command execution bug
$ cat /run/secrets/kubernetes.io/serviceaccount/token
Unauthenticated scans
Unauthenticated scan will be successful incase of anonymous access is permitted on the target cluster
Identifying an open Insecure port on kubernetes master node
Identifying a worker Node with kubelet readwrite and readonly ports open
Current Capabilities
- Scans Self Managed and cloud provider managed kubernetes infra
- Reconnaissance phase checks for various services or open ports
- Performs automated scans incase of insecure, readwrite or readonly services are enabled
- Performs both authenticated scans and unauthenticated scans
- Scans for wide range of IAM Misconfigurations in the cluster
- Scans for wide range of Misconfigured containers
- Scans for wide range of Misconfigured Pod Security Policies
- Scans for wide range of Misconfigured Network policies
- Scans the privileges of a subject in the cluster
- Run commands on the containers and streams back the output
- Provides the endpoints of the misconfigured services
- Provides possible privilege escalation details
- Elaborative report with detailed explanation
Future improvements
- Automated exploitation based on the issues identified
- api and cicd automation friendly
- A Decent FrontEnd to make the lives easier
Suggestions
Kubestriker is an opensource and emailware. Meaning, if you liked using this tool or it has helped you in any way or if you have any suggestions/improvements, I'd like you send me an email at [email protected] about anything you'd want to say about this tool. I'd really appreciate it!
Contributors
Statistics
License
Apache License
Support
vasant chinnipilli builds and maintains kubestriker to audit and secure kubernetes infrastructure.
Start with Documentation - will be available soon for quick tutorials and examples.
If you need direct support you can contact me at [email protected].
Find me here!!
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].