This is a program designed to quickly pull some interesting security related information from Kubernetes clusters. There are a couple of categories of checks that have been implemented so far.
Eathar can check containers running in the cluster for various things that are on the Pod Security Standards List.
To run all checks just use the top-level pss
command. To run a specific check use the name of the check below as the subcommand to pss
. For example to run the hostpid command you would run eathar pss hostpid
.
hostpid
- Provides a list of pods in the cluster configured to use Host PID.hostnet
- Provides a list of pods in the cluster configured to use Host Networking.hostipc
- Provides a list of pods in the cluster configured to use Host IPC.hostports
- Provides a list of containers in the cluster configured to use Host Ports.hostpath
- Provides a list of pods that mount host path volumes.hostprocess
- Provides a list of Windows pods and containers that run with hostprocess rights.privileged
- Provides a list of containers in the cluster configured to be privileged.allowprivesc
- Provides a list of containers in the cluster configured to allow privilege escalation.capadded
- Provides a list of containers which have capabilities added over the default set.cadropped
- Provides a list of containers which have capabilities dropped from the default set.seccomp
- Look for containers which have no seccomp profile specified or explicitly set unconfined.apparmor
- Look for containers where the apparmor profile is explicitly set to unconfined.procmount
- Look for containers with an unmasked proc filesystem mount.sysctl
- Look for dangerous sysctls being setall
- Run all configured checks
Eathar also has some general cluster information checks. You can run all of these using the info
command, or you can run a specific check using the name of the check below as the subcommand to info
. For example to run the imagelist command you would run eathar info imagelist
.
imagelist
- Provides a list of images used in the cluster.
Eather can also provide some information about how RBAC is configured in the cluster, which could be useful for checking if there are any roles or clusterroles that are overly permissive. The goal is to cover the privilege escalation permissions from the Kubernetes RBAC Good Practice document.
You can run all of these using the rbac
command, or you can run a specific check using the name of the check below as the subcommand to rbac
. For example to run the clusteradminusers command you would run eathar rbac clusteradminusers
.
clusteradminusers
- Provides a list of users/groups/service accounts who have the cluster-admin clusterrole.getsecretsuser
- Provides a list of users/groups/service accounts who haveGET
orLIST
access to secrets at the cluster level.persistentvolumecreationuser
- Provides a list of users/groups/service accounts who haveCREATE
access to persistentvolumes at the cluster level.impersonateuser
- Provides a list of users/groups/service accounts who haveimpersonate
access to other users/groups/service accounts at the cluster level.binduser
- Provides a list of users/groups/service accounts who havebind
access to clusterroles at the cluster level.escalate
- Provides a list of users/groups/service accounts who haveescalate
access to clusterroles at the cluster level.validatingwebhookuser
- Provides a list of users/groups/service accounts who havecreate
,update
,patch
, ordelete
access to validatingwebhookconfigurations at the cluster level.mutatingwebhookuser
- Provides a list of users/groups/service accounts who havecreate
,update
,patch
, ordelete
access to mutatingwebhookconfigurations at the cluster level.
Eathar connects to a Kubernetes cluster, it works based on whatever you have your current context set to.
If you want to exclude certain namespaces from the checks you can use the --exclude
flag. For example to exclude the kube-system
and kube-public
namespaces you would run eathar pss --exclude kube-system,kube-public
.
By Default reporting is to STDOUT in text format. There's a couple of options for changing that
-j
will output to JSON
--htmlrep
will output to HTML
-f <FILENAME>
sends output to a file (.txt
, .html
or .json
gets appended to the name specified)
The HTML report outputs basic tables which look like this :-
The architecture.md
file in the docs
directory has some notes on structure and design decisions.
An Eathar is a small boat in Scots Gaelic.