GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security and development teams streamline the configuration process and save time looking for generic bugs and vulnerabilities.
The tool consists of individual modules called Detectors, each scanning for a specific vulnerability.
Installing and Using GKE Auditor to Detect Google Kubernetes Engine Misconfigurations
Installation
1 2 3 |
git clone https://github.com/google/gke-auditor cd ./gke-auditor/ ./build.sh |
Usage
The tool has to be built by running the build.sh
script first.
Once the tool is built, it can be run using the auditor.sh
script, using the following options:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
./auditor.sh [-a] [-ast] [-c] [-d] [-h] [-i <arg>] [-p <arg>] [-q] [-r <arg>] -a,--all Run all detectors. -ast,--assets Run all detectors for each individual asset. -c,--color Turns on tool output coloring. -d,--defaults Runs detectors including Kubernetes default assets. Disabled by default. -h,--help Print help information. -i,--iso <arg> Run Node Isolation detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. NODE_SELECTOR_POD_REJECTED 2. NODE_TAINTS_POD_REJECTED 3. NODE_AFFINITY_POD_REJECTED -p,--psp <arg> Run PSP (Pod Security Policy) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. PRIVILEGED_CONTAINERS 2. CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE 3. CONTAINERS_SHARING_HOST_IPC 4. CONTAINER_SHARING_HOST_NETWORK_NAMESPACE 5. CONTAINERS_ALLOW_PRIVILEGE_ESCALATION 6. ROOT_CONTAINERS_ADMISSION 7. CONTAINERS_NET_RAW_CAPABILITY 8. CONTAINERS_ADDED_CAPABILITIES 9. CONTAINERS_CAPABILITIES_ASSIGNED -q,--quiet Prints out only misconfigurations, without additional detector info. Disabled by default. -r,--rbac <arg> Run RBAC (Role Based Access Control) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. CLUSTER_ADMIN_ROLE_USED 2. SECRET_ACCESS_ALLOWED 3. WILDCARD_USED 4. CREATE_PODS_ALLOWED 5. AUTOMOUNT_SERVICE_ACCOUNT_TOKEN_ENABLED 6. ESCALATING_RESOURCES_REPORT |
General Detector Output Format for GKE Auditor
You can download GKE Auditor here:
Or read more here.