{"id":19054212,"url":"https://github.com/datadog/managed-kubernetes-auditing-toolkit","last_synced_at":"2025-04-06T18:16:51.267Z","repository":{"id":153688407,"uuid":"623004804","full_name":"DataDog/managed-kubernetes-auditing-toolkit","owner":"DataDog","description":"All-in-one auditing toolkit for identifying common security issues in managed Kubernetes environments. Currently supports Amazon EKS.","archived":false,"fork":false,"pushed_at":"2024-01-03T11:52:35.000Z","size":307,"stargazers_count":339,"open_issues_count":5,"forks_count":20,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-30T16:12:29.668Z","etag":null,"topics":["aws-eks","aws-security","eks","kubernetes","kubernetes-security","managed-kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DataDog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-03T13:58:03.000Z","updated_at":"2025-03-26T16:42:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"77020b7c-17d0-4335-9497-2d41e5e49e87","html_url":"https://github.com/DataDog/managed-kubernetes-auditing-toolkit","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fmanaged-kubernetes-auditing-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fmanaged-kubernetes-auditing-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fmanaged-kubernetes-auditing-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2Fmanaged-kubernetes-auditing-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DataDog","download_url":"https://codeload.github.com/DataDog/managed-kubernetes-auditing-toolkit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247526767,"owners_count":20953143,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-eks","aws-security","eks","kubernetes","kubernetes-security","managed-kubernetes"],"created_at":"2024-11-08T23:37:07.328Z","updated_at":"2025-04-06T18:16:51.236Z","avatar_url":"https://github.com/DataDog.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Managed Kubernetes Auditing Toolkit (MKAT)\n\n[![Tests](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/actions/workflows/test.yml/badge.svg)](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/actions/workflows/test.yml) [![go static \nanalysis](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/actions/workflows/static-analysis.yml/badge.svg)](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/actions/workflows/static-analysis.yml) \n\n\nMKAT is an all-in-one auditing toolkit for identifying common security issues within managed Kubernetes environments. It is focused on Amazon EKS at the moment, and will be extended to other managed Kubernetes environments in the future.\n\nFeatures:\n- ๐Ÿ”Ž [Identify trust relationships between K8s service accounts and AWS IAM roles](#identify-trust-relationships-between-k8s-service-accounts-and-aws-iam-roles) - supports both IAM Roles for Service Accounts (IRSA), and [Pod Identity](https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/), released on November 26 2023.\n- ๐Ÿ”‘ [Find hardcoded AWS credentials in K8s resources](#find-hardcoded-aws-credentials-in-k8s-resources).\n- ๐Ÿ’€ [Test if pods can access the AWS Instance Metadata Service (IMDS)](#test-if-pods-can-access-the-aws-instance-metadata-service-imds).\n\n## Installation\n\n```bash\nbrew tap datadog/mkat https://github.com/datadog/managed-kubernetes-auditing-toolkit\nbrew install datadog/mkat/managed-kubernetes-auditing-toolkit\nmkat version\n```\n\n... or use a [pre-compiled binary](https://github.com/DataDog/managed-kubernetes-auditing-toolkit/releases).\n\nThen, make sure you are authenticated against your cluster, and to AWS. MKAT uses your current AWS and kubectl authentication contexts.\n\n```bash\naws eks update-kubeconfig --name \u003ccluster-name\u003e\n```\n\nIn particular, you might need to set your `AWS_REGION` and `AWS_PROFILE` environment variables, if using profiles.\n\n## Features\n\n### Identify trust relationships between K8s service accounts and AWS IAM roles\n\nMKAT can identify the trust relationships between K8s service accounts and AWS IAM roles, and display them in a table or as a graph. It currently supports:\n\n- **[IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html)**, a popular mechanism to allow pods to assume AWS IAM roles by exchanging a Kubernetes service account token for AWS credentials through the AWS STS API (`AssumeRoleWithWebIdentity`).\n\n- **[EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html)**, another newer mechanism that works in a similar way, but is easier to set up.\n\nMKAT works by analyzing both the IAM roles in the AWS account, and the K8s service accounts in the cluster, and then matching them together based on these two mechanisms.\n\n```bash\n$ mkat eks find-role-relationships\n _ __ ___ | | __ __ _ | |_\n | '_ ` _ \\ | |/ / / _` | | __|\n | | | | | | | \u003c | (_| | | |_\n |_| |_| |_| |_|\\_\\ \\__,_| \\__|\n\n2023/11/28 21:05:59 Connected to EKS cluster mkat-cluster\n2023/11/28 21:05:59 Retrieving cluster information\n2023/11/28 21:06:00 Listing K8s service accounts in all namespaces\n2023/11/28 21:06:02 Listing roles in the AWS account\n2023/11/28 21:06:03 Found 286 IAM roles in the AWS account\n2023/11/28 21:06:03 Analyzing IAM Roles For Service Accounts (IRSA) configuration\n2023/11/28 21:06:03 Analyzing Pod Identity configuration of your cluster\n2023/11/28 21:06:04 Analyzing namespace microservices which has 1 Pod Identity associations\n+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+\n| NAMESPACE | SERVICE ACCOUNT | POD | ASSUMABLE ROLE | MECHANISM |\n+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+\n| microservices | inventory-service-sa | inventory-service | inventory-service-role | IAM Roles for Service Accounts |\n| | | | s3-backup-role | IAM Roles for Service Accounts |\n| | rate-limiter-sa | rate-limiter-1 | rate-limiter-role | IAM Roles for Service Accounts |\n| | | | webserver-role | Pod Identity |\n| | | rate-limiter-2 | rate-limiter-role | IAM Roles for Service Accounts |\n| | | | webserver-role | Pod Identity |\n+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+\n| default | vulnerable-application-sa | vulnerable-application | vulnerable-application-role | IAM Roles for Service Accounts |\n| | webserver-sa | webserver | webserver-role | IAM Roles for Service Accounts |\n+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+\n| external-secrets | external-secrets-sa | external-secrets-66cfb84c9b-kldt9 | ExternalSecretsRole | IAM Roles for Service Accounts |\n+------------------+---------------------------+-----------------------------------+-----------------------------+--------------------------------+\n```\n\nIt can also generate a `dot` output for graphic visualization:\n \n```bash\n$ mkat eks find-role-relationships --output-format dot --output-file roles.dot\n$ dot -Tpng -O roles.dot\n$ open roles.dot.png\n```\n\n![Mapping trust relationships](./examples/irsa.png)\n\n### Find hardcoded AWS credentials in K8s resources\n\nMKAT can identify hardcoded AWS credentials in K8s resources such as Pods, ConfigMaps, and Secrets. \nIt has a low false positive rate, and only alerts you if it finds both an AWS access key ID and a secret access key in the same Kubernetes resource.\nIt's also able to work with unstructured data, i.e. if you have a ConfigMap with an embedded JSON or YAML document that contains AWS credentials.\n\n```bash\n$ mkat eks find-secrets\n _ _\n _ __ ___ | | __ __ _ | |_\n | '_ ` _ \\ | |/ / / _` | | __|\n | | | | | | | \u003c | (_| | | |_\n |_| |_| |_| |_|\\_\\ \\__,_| \\__|\n\n2023/04/12 00:33:24 Connected to EKS cluster mkat-cluster\n2023/04/12 00:33:24 Searching for AWS secrets in ConfigMaps...\n2023/04/12 00:33:25 Analyzing 10 ConfigMaps...\n2023/04/12 00:33:25 Searching for AWS secrets in Secrets...\n2023/04/12 00:33:25 Analyzing 45 Secrets...\n2023/04/12 00:33:25 Searching for AWS secrets in Pod definitions...\n2023/04/12 00:33:25 Analyzing 8 Pod definitions...\n+-----------+--------+-----------------------------------------+------------------------------------------+\n| NAMESPACE | TYPE | NAME | VALUE |\n+-----------+--------+-----------------------------------------+------------------------------------------+\n| default | Secret | kafka-proxy-aws (key aws_access_key_id) | AKIAZ3MSJV4WWNKWW5FG |\n| default | Secret | kafka-proxy-aws (key aws_secret_key) | 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 |\n+-----------+--------+-----------------------------------------+------------------------------------------+\n```\n\n### Test if pods can access the AWS Instance Metadata Service (IMDS)\n\nPods accessing the EKS nodes Instance Metadata Service is a [common and dangerous attack vector](https://blog.christophetd.fr/privilege-escalation-in-aws-elastic-kubernetes-service-eks-by-compromising-the-instance-role-of-worker-nodes/) \nthat can be used to escalate privileges. MKAT can test if pods can access the IMDS, both through IMDSv1 and IMDSv2. \n\nIt tests this by creating two temporary pods (one for IMDSv1, one for IMDSv2) that try to access the IMDS, and are then deleted.\n\n```bash\n$ mkat eks test-imds-access\n _ _\n _ __ ___ | | __ __ _ | |_\n | '_ ` _ \\ | |/ / / _` | | __|\n | | | | | | | \u003c | (_| | | |_\n |_| |_| |_| |_|\\_\\ \\__,_| \\__|\n\n2023/07/11 21:56:19 Connected to EKS cluster mkat-cluster\n2023/07/11 21:56:19 Testing if IMDSv1 and IMDSv2 are accessible from pods by creating a pod that attempts to access it\n2023/07/11 21:56:23 IMDSv2 is accessible: any pod can retrieve credentials for the AWS role eksctl-mkat-cluster-nodegroup-ng-NodeInstanceRole-AXWUFF35602Z\n2023/07/11 21:56:23 IMDSv1 is not accessible to pods in your cluster: able to establish a network connection to the IMDS, but no credentials were returned\n```\n\n## FAQ \n\n### How does MKAT compare to other tools?\n\n| **Tool** | **Description** |\n|:---:|:---:|\n| [kube-bench](https://github.com/aquasecurity/kube-bench) | kube-bench is a general-purpose auditing tool for Kubernetes cluster, checking for compliance against the CIS benchmarks |\n| [kubiscan](https://github.com/cyberark/KubiScan) | kubiscan focuses on identifying dangerous in-cluster RBAC permissions |\n| [peirates](https://github.com/inguardians/peirates) | peirates is a generic Kubernetes penetration testing tool. Although it has a `get-aws-token` command that retrieve node credentials from the IMDS, it is not specific to managed K8s environments. |\n| [botb](https://github.com/brompwnie/botb) | botb is a generic Kubernetes penetration testing tool. It also has a command to retrieve node credentials from the IMDS, but it is not specific to managed K8s environments. |\n| [rbac-police](https://github.com/PaloAltoNetworks/rbac-police) | rbac-police focuses on identifying in-cluster RBAC relationships. |\n| [kdigger](https://github.com/quarkslab/kdigger) | kdigger is a general-purpose context discovery tool for Kubernetes penetration testing. It does not attempt to be specific to managed K8s environments. |\n| [kubeletmein](https://github.com/4ARMED/kubeletmein) | kubeletmein _is_ specific to managed K8s environments. It's an utility to generate a kubeconfig file using the node's IAM credentials, to then use it in a compromised pod. |\n| [hardeneks](https://github.com/aws-samples/hardeneks) | hardeneks _is_ specific to managed K8s environments, but only for EKS. It identifies issues and lack of best practices inside of the cluster, and does not focus on cluster to cloud pivots. |\n\n### What permissions does MKAT need to run?\n\nSee [this page](./permissions.md) for a detailed list of the permissions MKAT needs to run.\n\n## Roadmap\n\nWe currently plan to:\n* Add a feature to identify EKS pods that are exposed through an AWS load balancer, through the [aws-load-balancer-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)\n* Add support for GCP GKE\n* Allow scanning for additional types of cloud credentials\n\n## Acknowledgements\n\nThank you to Rami McCarthi and Mikail Tunรง for their early testing and actionable feedback on MKAT!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatadog%2Fmanaged-kubernetes-auditing-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdatadog%2Fmanaged-kubernetes-auditing-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdatadog%2Fmanaged-kubernetes-auditing-toolkit/lists"}