Sometimes we need to check what are the risky Roles, ServiceAccounts, RoleBindings, Pods, etc in a Kubernetes cluster. To check it we have a tool called KubiScan which will list all the risky permissions from Kubernetes Cluster. In this blog we will see how to scan risky permissions in Kubernetes Cluster.

KubiScan : It scans Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model.

Requirements:

1.Kubernetes cluster
2.Docker

Step 1:

Execute kubiscan docker command,

Run this below command in Kubernetes master cluster,

# docker run -it --rm -e CONF_PATH=~/.kube/config -v /:/tmp cyberark/kubiscan



Here the kubernetes config is present in "~/.kube/config" if you have in different location change the path accordingly.

Once the docker command executed you will be in Kubiscan container.

If you want to execute the above docker command from different instance follow below,

Copy the kubernetes configuration in an instance where it can communicate to kubernetes cluster,

I have kept in /root/k8s/config and below is my docker command,

# docker run -it --rm -e CONF_PATH=~/k8s/config -v /:/tmp cyberark/kubiscan


Step 2:

Scan the risky permissions with kubiscan,

Run this below command inside the kubiscan container to find the risky pods,

# kubiscan -rp

eg:


Here we can see three pods are showing critical So we need to check and fix it.

To find the risky users, groups, service accounts,

# kubiscan - rs

eg:


Here we can see few users, groups and service accounts are showing critical, So we need to check and fix it.

By running below command you can find what are the other options are available in Kubiscan,

# kubiscan -e

Thats all, with Kubiscan we have found the risky permissions and pods in Kubernetes cluster.


Post a Comment

Previous Post Next Post