{"id":13452348,"url":"https://github.com/cyberark/KubiScan","last_synced_at":"2025-03-23T19:34:07.783Z","repository":{"id":41543579,"uuid":"155219807","full_name":"cyberark/KubiScan","owner":"cyberark","description":"A tool to scan Kubernetes cluster for risky permissions","archived":false,"fork":false,"pushed_at":"2024-12-10T09:24:49.000Z","size":7918,"stargazers_count":1363,"open_issues_count":5,"forks_count":132,"subscribers_count":28,"default_branch":"master","last_synced_at":"2025-03-21T21:01:43.407Z","etag":null,"topics":["authorization","conjbot","kubernetes","rbac"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-29T13:50:44.000Z","updated_at":"2025-03-17T21:00:01.000Z","dependencies_parsed_at":"2023-01-21T20:19:13.388Z","dependency_job_id":"61de731e-4345-4b64-81f2-17d43c1077d9","html_url":"https://github.com/cyberark/KubiScan","commit_stats":{"total_commits":212,"total_committers":15,"mean_commits":"14.133333333333333","dds":0.4528301886792453,"last_synced_commit":"0a10ee10f4a16e4a31f0f7c069c2ad044ea8d6c9"},"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FKubiScan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FKubiScan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FKubiScan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2FKubiScan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/KubiScan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245159318,"owners_count":20570361,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","conjbot","kubernetes","rbac"],"created_at":"2024-07-31T07:01:21.381Z","updated_at":"2025-03-23T19:34:07.771Z","avatar_url":"https://github.com/cyberark.png","language":"Python","readme":"[![GitHub release][release-img]][release]\n[![License][license-img]][license]\n![Stars](https://img.shields.io/github/stars/cyberark/KubiScan)\n\n\u003cimg src=\"https://github.com/cyberark/KubiScan/blob/assets/kubiscan_logo.png\" width=\"260\"\u003e  \nA tool for scanning Kubernetes cluster for risky permissions in Kubernetes's Role-based access control (RBAC) authorization model.   \nThe tool was published as part of the \"Securing Kubernetes Clusters by Eliminating Risky Permissions\" research https://www.cyberark.com/threat-research-blog/securing-kubernetes-clusters-by-eliminating-risky-permissions/.\n\n---\n\n## Table of Contents\n- [Overview](#overview)\n- [What can it do?](#what-can-it-do)\n- [Usage](#usage)\n  - [Container](#container)\n  - [Directly with Python3](#directly-with-python3)\n    - [Prerequisites](#prerequisites)\n    - [Example for installation on Ubuntu](#example-for-installation-on-ubuntu)\n    - [With KubeConfig file](#with-kubeconfig-file)\n    - [From a remote with ServiceAccount token](#from-a-remote-with-serviceaccount-token)\n- [Examples](#examples)\n- [Demo](#demo)\n- [Risky Roles YAML](#risky-roles-yaml)\n- [Showcase](#%EF%B8%8F-showcase)\n- [License](#license)\n- [References](#references)\n\n---\n\n## Overview\nKubiScan helps cluster administrators identify permissions that attackers could potentially exploit to compromise the clusters.\nThis can be especially helpful on large environments where there are lots of permissions that can be challenging to track. \nKubiScan gathers information about risky roles\\clusterroles, rolebindings\\clusterrolebindings, users and pods, automating traditional manual processes and giving administrators the visibility they need to reduce risk.  \n\n## What can it do? \n-\tIdentify risky Roles\\ClusterRoles\n-\tIdentify risky RoleBindings\\ClusterRoleBindings\n-\tIdentify risky Subjects (Users, Groups and ServiceAccounts)\n-\tIdentify risky Pods\\Containers\n-\tDump tokens from pods (all or by namespace)\n-\tGet associated RoleBindings\\ClusterRoleBindings to Role, ClusterRole or Subject (user, group or service account)\n-\tList Subjects with specific kind ('User', 'Group' or 'ServiceAccount')\n-\tList rules of RoleBinding or ClusterRoleBinding\n-\tShow Pods that have access to secret data through a volume or environment variables\n- Get bootstrap tokens for the cluster\n- CVE scan\n- EKS\\AKS\\GKE support\n\n## Usage\n### Container\n\nYou can run it like that:  \n```\n./docker_run.sh \u003ckube_config_file\u003e\n# For example: ./docker_run.sh ~/.kube/config\n```\n\nIt will copy all the files linked inside the config file into the container and spwan a shell into the container.\n\nTo build the Docker image run:  \n```\ndocker build -t kubiscan .\n```\n\n### Directly with Python3\n#### Prerequisites:\n-\t__Python 3.6+__\n-\t__Pip3__\n-\t[__Kubernetes Python Client__](https://github.com/kubernetes-client/python) \n-\t[__Prettytable__](https://pypi.org/project/PTable)\n-\t__openssl__ (built-in in ubuntu) - used only for join token\n\n#### Example for installation on Ubuntu:\n```\napt-get update  \napt-get install -y python3 python3-pip \npip3 install -r requirements.txt  \n```\n\nRun `alias kubiscan='python3 /\u003cKubiScan_folder\u003e/KubiScan.py'` to use `kubiscan`.  \n\nAfter installing all of the above requirements you can run it in two different ways:  \n#### With KubeConfig file:\nMake sure you have access to `~/.kube/config` file and all the relevant certificates, simply run:  \n`kubiscan \u003ccommand\u003e`  \nFor example: `kubiscan -rs` will show all the risky subjects (users, service accounts and groups).  \n\n#### From a remote with ServiceAccount token\nSome functionality requires a **privileged** service account with the following permissions:  \n- **resources**: `[\"roles\", \"clusterroles\", \"rolebindings\", \"clusterrolebindings\", \"pods\", \"secrets\"]`  \n  **verbs**: `[\"get\", \"list\"]`  \n- **resources**: `[\"pods/exec\"]`  \n  **verbs**: `[\"create\", \"get\"]`  \n\nBut most of the functionalities are not, so you can use this settings for limited service account:  \nIt can be created by running:\n```\nkubectl apply -f - \u003c\u003c EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubiscan-sa\n  namespace: default\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubiscan-sa-secret\n  annotations:\n    kubernetes.io/service-account.name: kubiscan-sa\n---\nkind: ClusterRoleBinding\napiVersion: rbac.authorization.k8s.io/v1\nmetadata: \n  name: kubiscan-clusterrolebinding\nsubjects: \n- kind: ServiceAccount \n  name: kubiscan-sa\n  namespace: default\n  apiGroup: \"\"\nroleRef: \n  kind: ClusterRole\n  name: kubiscan-clusterrole\n  apiGroup: \"\"\n---\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata: \n  name: kubiscan-clusterrole\nrules: \n- apiGroups: [\"*\"]\n  resources: [\"roles\", \"clusterroles\", \"rolebindings\", \"clusterrolebindings\", \"pods\"]\n  verbs: [\"get\", \"list\"]\nEOF\n```\n\nNote that from Kubernetes 1.24, the creation of service account doesn't create a secret. This means that we need to create the secret.  \nBefore 1.24, you can remove the `Secret` object from the above commands and save the service account's token to a file:  \n`kubectl get secrets $(kubectl get sa kubiscan-sa -o=jsonpath='{.secrets[0].name}') -o=jsonpath='{.data.token}' | base64 -d \u003e token`\n\nFrom 1.24, you don't need to change anything and save the token like that:  \n```\nkubectl get secrets kubiscan-sa-secret -o=jsonpath='{.data.token}' | base64 -d \u003e token  \n```\n\nAfter saving the token into the file, you can use it like that:  \n`python3 ./KubiScan.py -ho \u003cmaster_ip:master_port\u003e -t /token \u003ccommand\u003e`  \n\nFor example:   \n```\nalias kubiscan='python3 /\u003cKubiScan_folder\u003e/KubiScan.py\nkubiscan -ho 192.168.21.129:8443 -t /token -rs\n```\n\nNotice that you can also use the certificate authority (ca.crt) to verify the SSL connection:    \n```\nkubiscan -ho \u003cmaster_ip:master_port\u003e -t /token -c /ca.crt \u003ccommand\u003e\n```\n\nTo remove the privileged service account, run the following commands: \n```\nkubectl delete clusterroles kubiscan-clusterrole  \nkubectl delete clusterrolebindings kubiscan-clusterrolebinding   \nkubectl delete sa kubiscan-sa  \nkubectl delete secrets kubiscan-sa-secret\n```\n\n## Examples  \nTo see all the examples, run `python3 KubiScan.py -e` or from within the container `kubiscan -e`.  \n\n## Demo  \nA small example of KubiScan usage: \n\u003cp\u003e\u003ca href=\"https://cyberark.wistia.com/medias/0lt642okgn?wvideo=0lt642okgn\"\u003e\u003cimg src=\"https://github.com/cyberark/KubiScan/blob/assets/kubiscan_embeded.png?raw=true\" width=\"600\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n## Risky Roles YAML\nThere is a file named `risky_roles.yaml`. This file contains templates for risky roles with priority.    \nAlthough the kind in each role is `Role`, these templates will be compared against any Role\\ClusterRole in the cluster.  \nWhen each of these roles is checked against a role in the cluster, it checks if the role in the cluster contains the rules from the risky role. If it does, it will be marked as risky.  \nWe added all the roles we found to be risky, but because each one can define the term \"risky\" in a different way, you can modify the file by adding\\removing roles you think are more\\less risky.  \n\n## ❤️ Showcase  \n* Presented at RSA 2020 [\"Compromising Kubernetes Cluster by Exploiting RBAC Permissions\"](https://www.youtube.com/watch?v=1LMo0CftVC4)\n* Presented at RSA 2022 [\"Attacking and Defending Kubernetes Cluster: Kubesploit vs KubiScan\"](https://www.youtube.com/watch?v=xRqYSDKi6a0)\n* Article by PortSwigger [\"KubiScan: Open source Kubernetes security tool showcased at Black Hat 2020\"](https://portswigger.net/daily-swig/kubiscan-open-source-kubernetes-security-tool-showcased-at-black-hat-2020)\n\n\n## License\nCopyright (c) 2020 CyberArk Software Ltd. All rights reserved  \nThis repository is licensed under GPL-3.0 License - see [`LICENSE`](LICENSE) for more details.\n\n## References:\nFor more comments, suggestions or questions, you can contact Eviatar Gerzi ([@g3rzi](https://twitter.com/g3rzi)) and CyberArk Labs.\n\n[release-img]: https://img.shields.io/github/release/cyberark/kubiscan.svg\n[release]: https://github.com/cyberark/kubiscan/releases\n\n[license-img]: https://img.shields.io/github/license/cyberark/kubiscan.svg\n[license]: https://github.com/cyberark/kubiscan/blob/master/LICENSE\n","funding_links":[],"categories":["Kubernetes","Python","Security \u0026 Compliance","2 Defensive","Tools and Libraries","Repositories / Tools","Other Awesome Lists","Python (1887)","Tools","Инструменты","0x02 工具 :hammer_and_wrench:","云安全","Kubernetes Security"],"sub_categories":["2.7 Tools","Kubernetes IAM","Security and Compliance","Defending","Subdomain Takeover","Kubernetes","Безопасность Kubernetes","2 云原生工具","Runtime Security"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FKubiScan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2FKubiScan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2FKubiScan/lists"}