KubiScan v1.4 releases: scan Kubernetes cluster for risky permissions
A tool for scanning the Kubernetes cluster for risky permissions in Kubernetes’s Role-based access control (RBAC) authorization model. The tool was published as part of the “Securing Kubernetes Clusters by Eliminating Risky Permissions” research.
KubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters. This can be especially helpful in large environments where there are lots of permissions that can be challenging to track. KubiScan gathers information about risky roles\clusterroles, rolebindings\clusterrolebindings, users, and pods, automating traditionally manual processes and giving administrators the visibility they need to reduce risk.
What can it do?
- Identify risky Roles\ClusterRoles
- Identify risky RoleBindings\ClusterRoleBindings
- Identify risky Subjects (Users, Groups, and ServiceAccounts)
- Identify risky Pods\Containers
- Dump tokens from pods (all or by namespace)
- Get associated RoleBindings\ClusterRoleBindings to Role, ClusterRole or Subject (user, group or service account)
- List Subjects with specific kind (‘User’, ‘Group’ or ‘ServiceAccount’)
- List rules of RoleBinding or ClusterRoleBinding
- Show Pods that have access to secret data through a volume or environment variables
- Get bootstrap tokens for the cluster
- Added check for hostPID and hostIPC
- Added parsing for pod’s spec for hostPID nad hostIPC
- Added support on hostNetwork nad hostPorts
- Added printing of hostPorts and hostNetwork information
- Removed debug printing for pod name
- Fixed wrong indents in risk YAML file
- Added support on hostPaths in containers
- Added support to printing volumes with hostPaths mounted to container
- Added the mounted path inside the container
Copyright (C) 2018