Kubernetes Auto Analyzer Report

Master Node Results

' #Charting setup counts for the passes and fails api_server_pass = 0 api_server_fail = 0 @results[@options.target_server]['api_server'].each do |test, result| if result == "Pass" api_server_pass = api_server_pass + 1 elsif result == "Fail" api_server_fail = api_server_fail + 1 end end #Not a lot of point in scheduler when there's only one check... #scheduler_pass = 0 #scheduler_fail = 0 #@results[@options.target_server]['scheduler'].each do |test, result| # if result == "Pass" # scheduler_pass = scheduler_pass + 1 # elsif result == "Fail" # scheduler_fail = scheduler_fail + 1 # end #end controller_manager_pass = 0 controller_manager_fail = 0 @results[@options.target_server]['controller_manager'].each do |test, result| if result == "Pass" controller_manager_pass = controller_manager_pass + 1 elsif result == "Fail" controller_manager_fail = controller_manager_fail + 1 end end etcd_pass = 0 etcd_fail = 0 @results[@options.target_server]['etcd'].each do |test, result| if result == "Pass" etcd_pass = etcd_pass + 1 elsif result == "Fail" etcd_fail = etcd_fail + 1 end end #Start of Chart Divs @html_report_file.puts '

' #API Server Chart @html_report_file.puts '

' @html_report_file.puts '' #Scheduler Chart #@html_report_file.puts '

' #@html_report_file.puts '' #Controller Manager Chart @html_report_file.puts '

' @html_report_file.puts '' #etcd Chart @html_report_file.puts '

' @html_report_file.puts '' #End of Chart Divs @html_report_file.puts '

' @html_report_file.puts "

API Server

" @html_report_file.puts "" @results[@options.target_server]['api_server'].each do |test, result| if result == "Fail" result = 'Fail' elsif result == "Pass" result = 'Pass' end @html_report_file.puts "" end @html_report_file.puts "

Check	result
#{test}	#{result}

" @html_report_file.puts "

" @html_report_file.puts "

Scheduler

" @html_report_file.puts "" @results[@options.target_server]['scheduler'].each do |test, result| if result == "Fail" result = 'Fail' elsif result == "Pass" result = 'Pass' end @html_report_file.puts "" end @html_report_file.puts "

Check	result
#{test}	#{result}

" @html_report_file.puts "

" @html_report_file.puts "

Controller Manager

" @html_report_file.puts "" @results[@options.target_server]['controller_manager'].each do |test, result| if result == "Fail" result = 'Fail' elsif result == "Pass" result = 'Pass' end @html_report_file.puts "" end @html_report_file.puts "

Check	result
#{test}	#{result}

" @html_report_file.puts "

" @html_report_file.puts "

etcd

" @html_report_file.puts "" @results[@options.target_server]['etcd'].each do |test, result| if result == "Fail" result = 'Fail' elsif result == "Pass" result = 'Pass' end @html_report_file.puts "" end @html_report_file.puts "

Check	result
#{test}	#{result}

" #Show what cluster authentication modes are supported. @html_report_file.puts "

" @html_report_file.puts "

Kubernetes Authentication Options

" @html_report_file.puts "" if @results[@options.target_server]['api_server']['CIS 1.1.2 - Ensure that the --basic-auth-file argument is not set'] == "Fail" @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['api_server']['CIS 1.1.20 - Ensure that the --token-auth-file argument is not set'] == "Fail" @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['api_server']['CIS 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate'] == "Pass" @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--oidc-issuer-url/} @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authentication-token-webhook-config-file/} @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--requestheader-username-headers/} @html_report_file.puts "" else @html_report_file.puts "" end @html_report_file.puts "

Authentication Option	Enabled?
Basic Authentication	Enabled
Basic Authentication	Disabled
Token Authentication	Enabled
Token Authentication	Disabled
Client Certificate Authentication	Enabled
Client Certificate Authentication	Disabled
OpenID Connect Authentication	Enabled
OpenID Connect Authentication	Disabled
Webhook Authentication	Enabled
Webhook Authentication	Disabled
Proxy Authentication	Enabled
Proxy Authentication	Disabled

" #Show what cluster authorization modes are supported. @html_report_file.puts "

" @html_report_file.puts "

Kubernetes Authorization Options

" @html_report_file.puts "" if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*RBAC/} @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*ABAC/} @html_report_file.puts "" else @html_report_file.puts "" end if @results[@options.target_server]['evidence']['API Server'].index{|line| line =~ /--authorization-mode\S*Webhook/} @html_report_file.puts "" else @html_report_file.puts "" end @html_report_file.puts "

Authorization Option	Enabled?
Role Based Authorization	Enabled
Role Based Authorization	Disabled
Attribute Based Authorization	Enabled
Attribute Based Authorization	Disabled
Webhook Authorization	Enabled
Webhook Authorization	Disabled

" @html_report_file.puts "

Evidence

" @html_report_file.puts "" @results[@options.target_server]['evidence'].each do |area, output| @html_report_file.puts "" end #Close the master Node Div @html_report_file.puts "

Area	Output
#{area}	#{output}

Worker Node Results

' #Start of Chart Divs @html_report_file.puts '

' @results[@options.target_server]['kubelet_checks'].each do |node, results| node_kubelet_pass = 0 node_kubelet_fail = 0 results.each do |test, result| if result == "Fail" node_kubelet_fail = node_kubelet_fail + 1 elsif result == "Pass" node_kubelet_pass = node_kubelet_pass + 1 end end #Create the Chart @html_report_file.puts '

' @html_report_file.puts '' end #End of Chart Divs @html_report_file.puts '

' @results[@options.target_server]['kubelet_checks'].each do |node, results| @html_report_file.puts "
#{node} Kubelet Checks" @html_report_file.puts "" results.each do |test, result| if result == "Fail" result = 'Fail' elsif result == "Pass" result = 'Pass' end @html_report_file.puts "" end @html_report_file.puts "

Check	result
#{test}	#{result}

" end @html_report_file.puts "

Evidence

" @html_report_file.puts "" @results[@options.target_server]['node_evidence'].each do |node, evidence| evidence.each do |area, data| @html_report_file.puts "" end end @html_report_file.puts "

Host	Area	Output
#{node}	#{area}	#{data}

" end #Close the Worker Node Div @html_report_file.puts '

Container item	Result
Runtime in Use	#{result['runtime']}
Host PID namespace used?	#{result['hostpid']}
AppArmor Profile	#{result['apparmor']}
User Namespaces in use?	#{result['uid_map']}
Inherited Capabilities	#{result['cap_inh']}
Effective Capabilities	#{result['cap_eff']}
Permitted Capabilities	#{result['cap_per']}
Bounded Capabilities	#{result['cap_bnd']}

Kubernetes Auto Analyzer

Master Node Results

API Server

Scheduler

Controller Manager

etcd

Kubernetes Authentication Options

Kubernetes Authorization Options

Evidence

Worker Node Results

Evidence

Node File Permissions

Vulnerability Checks

External Unauthenticated Access to the Kubelet

Internal Unauthenticated Access to the Kubelet

External Insecure API Port Exposed

Internal Insecure API Port Exposed

Default Service Token In Use

Container Configuration checks

Vulnerability Evidence

Vulnerability	Host	Output
External Unauthenticated Kubelet Access	#{node}	#{result}
Internal Unauthenticated Kubelet Access	#{node}	#{result}
External Insecure API Server Access	#{node}	#{result}
Internal Insecure API Server Access	#{node}	#{result}
Default Service Token In Use	#{node}	#{result}
Am I Contained Output	#{node}	#{result}