{"id":13530183,"url":"https://github.com/darkbitio/mkit","last_synced_at":"2025-04-01T17:32:12.625Z","repository":{"id":44393117,"uuid":"250376894","full_name":"darkbitio/mkit","owner":"darkbitio","description":"MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.","archived":true,"fork":false,"pushed_at":"2021-09-16T13:46:12.000Z","size":3284,"stargazers_count":401,"open_issues_count":1,"forks_count":26,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-02T07:11:16.616Z","etag":null,"topics":["aks","aws","azure","eks","gcp","gke","k8s","kubernetes","kubernetes-security"],"latest_commit_sha":null,"homepage":"https://darkbit.io","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/darkbitio.png","metadata":{"files":{"readme":"README-GCP.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-03-26T21:36:03.000Z","updated_at":"2024-05-29T20:51:32.000Z","dependencies_parsed_at":"2022-07-15T01:46:52.469Z","dependency_job_id":null,"html_url":"https://github.com/darkbitio/mkit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkbitio%2Fmkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkbitio%2Fmkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkbitio%2Fmkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/darkbitio%2Fmkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/darkbitio","download_url":"https://codeload.github.com/darkbitio/mkit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222748311,"owners_count":17031898,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aks","aws","azure","eks","gcp","gke","k8s","kubernetes","kubernetes-security"],"created_at":"2024-08-01T07:00:45.286Z","updated_at":"2024-11-02T16:31:48.661Z","avatar_url":"https://github.com/darkbitio.png","language":"Dockerfile","funding_links":[],"categories":["Cloud platform security","Container","Audit","Repositories / Tools","云平台安全","Continuous Delivery \u0026 GitOps","Dockerfile","kubernetes","Security","aws"],"sub_categories":["Kubernetes","Defending","安全编排自动化与响应"],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/logo-f14d61eb2fd0943650b496cccd7cfc5a.png\"\u003e\n\u003c/p\u003e\n\n# MKIT - Managed Kubernetes Inspection Tool\n\n![MKIT](images/badge-v1.0.0.svg)\n\n### Quickly discover key security risks of your managed GKE clusters and resources\n\n**MKIT** is a Managed [Kubernetes](https://kubernetes.io) Inspection Tool that leverages FOSS tools to query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster. It runs entirely from a local Docker container and queries your cloud provider's APIs and the Kubernetes API to determine if certain misconfigurations are found. The same Docker container then launches a web UI to view and navigate the results on [localhost:8000](http://localhost:8000).\n\n## Demo\n\nView a live demo of the [web UI here](https://mkit.darkbit.io/).\n\n[![web UI demo](images/demo-screen.png)](https://mkit.darkbit.io)\n\n---\n\n1. [Who is MKIT for?](#who-is-this-for)\n1. [What does it check?](#what-does-mkit-check-for)\n1. [What is it doing?](#what-does-it-do)\n1. [Viewing Results](#viewing-results)\n1. [Quick Start](#quick-start)\n1. [Building Locally](#building-locally)\n1. [Development](#development)\n\n---\n\n### Who is this for?\n\n**MKIT** provides security-minded Google Kubernetes Engine (GKE) cluster administrators with a quick way to assess several common misconfigurations in their clusters and workloads.\n\n### What does MKIT check for?\n\n**MKIT** makes use of [Chef Inspec](https://inspec.io)-formatted profiles, and the GKE controls are published at the locations below:\n\n- [https://github.com/darkbitio/inspec-profile-gke](https://github.com/darkbitio/inspec-profile-gke)\n- [https://github.com/darkbitio/inspec-profile-k8s](https://github.com/darkbitio/inspec-profile-k8s)\n\n### What does it do?\n\nWhen running `make` with various parameters, the **MKIT** tool is leveraging your user credentials to query the GCP APIs for the specific cluster and validating its configuration. It then connects to the cluster directly via the Kubernetes API server to validate several configuration items inside the cluster. Finally, it combines those results into a format viewable by the [mkit-ui](http://localhost:8000) launched inside the `mkit` container listening on [http://localhost:8000](http://localhost:8000) for viewing.\n\n### Sensitive Data\n\nAll results are stored inside the container for the life of that **MKIT** run, and they are not uploaded or shared in any way.\n\n## Viewing Results\n\nThe **MKIT** web UI ([http://localhost:8000](http://localhost:8000)) shows all of the results on a single page. Failed checks appear first, followed by passed checks. Clicking **view all** will show all of the underlying resources impacted by the checks and whether they **passed** or **failed**.\n\n![Results Overview](images/overview-screen-01701af71c95bc414e0580d6af069eb8.png)\n\n## Quick Start\n\n1. Clone this repository to your Linux / macOS / WSL2 system.\n\n2. See the [section](#building-the-docker-image-manually) on building the image manually, if desired.\n\n3. Ensure your identity has the following permissions:\n\n   1. An IAM Role with `container.clusters.get` , `container.clusters.list`, and `container.clusters.getCredentials` . For example:\n      1. `Owner` - `roles/owner`\n      2. `Editor` - `roles/editor`\n      3. `Kubernetes Engine Admin` - `roles/container.admin`\n   2. Or, a custom IAM Role with `container.clusters.get`, `container.clusters.list`, `container.clusters.getCredentials`, and an in-cluster RBAC `ClusterRoleBinding` of the built-in `cluster-admin` or `view` ClusterRoles.\n\n4. Authenticate with your Google Cloud credentials\n\n    ```console\n    gcloud auth application-default login\n    ```\n\n5. Run the following command (be sure to specify project-id and not project-name):\n\n    ```console\n    make run-gke project_id=my-project-id location=us-central1 clustername=my-gke-cluster-name\n    ```\n    ```console\n    Running in darkbitio/mkit:latest: /home/node/audit/gke.sh\n    Generating results...done.\n    Fetching cluster endpoint and auth data.\n    kubeconfig entry generated for my-gke-cluster.\n    Generating results...done.\n\n    Visit http://localhost:8000 to view the results\n    yarn run v1.22.0\n    node app.js\n    \n    MKIT Running - browse to http://localhost:8000\n    ```\n\n6. Visit [http://localhost:8000](http://localhost:8000) to view the results of the scan.\n\n## Building Locally\n\nIf you prefer to build the Docker images locally before running, the **Dockerfile** is in this repo.\n\n### Building the Docker image manually\n\n1. Clone this repo\n2. Modify the **Makefile** to name the image as desired\n3. Run `make build` to build the container from scratch\n\n## Development\n\nWe welcome any contributions from users in the community.\n\n### Customizing/Extending the checks\n\n1. Fork the desired profile repository\n2. Modify the release tag and release URL to point to your new repository/release in the `Dockerfile`\n3. Follow the steps in the previous [section](#building-the-docker-image-manually) to build a custom container using your new profile\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkbitio%2Fmkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdarkbitio%2Fmkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdarkbitio%2Fmkit/lists"}