{"id":13646322,"url":"https://github.com/postfinance/kubewire","last_synced_at":"2025-04-21T17:32:33.667Z","repository":{"id":98232105,"uuid":"137757742","full_name":"postfinance/kubewire","owner":"postfinance","description":"Kubernetes integrity checker","archived":true,"fork":false,"pushed_at":"2018-12-18T10:03:29.000Z","size":32,"stargazers_count":10,"open_issues_count":1,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-11-09T19:41:37.534Z","etag":null,"topics":["golang","integrity","inventory","kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/postfinance.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-06-18T13:52:17.000Z","updated_at":"2023-01-28T10:20:14.000Z","dependencies_parsed_at":"2023-05-18T19:45:25.893Z","dependency_job_id":null,"html_url":"https://github.com/postfinance/kubewire","commit_stats":{"total_commits":18,"total_committers":2,"mean_commits":9.0,"dds":0.2777777777777778,"last_synced_commit":"e9c53f15052f740e7c7457fa23ceeb8e2de47729"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubewire","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubewire/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubewire/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/postfinance%2Fkubewire/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/postfinance","download_url":"https://codeload.github.com/postfinance/kubewire/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250100732,"owners_count":21374994,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["golang","integrity","inventory","kubernetes"],"created_at":"2024-08-02T01:02:52.856Z","updated_at":"2025-04-21T17:32:33.352Z","avatar_url":"https://github.com/postfinance.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/postfinance/kubewire)](https://goreportcard.com/report/github.com/postfinance/kubewire)\n[![Build Status](https://travis-ci.org/postfinance/kubewire.svg?branch=master)](https://travis-ci.org/postfinance/kubewire)\n\n# kubewire\nkubewire is a Kubernetes integrity checker which acts as a tripwire for global\nKubernetes resources or namespaced resources which could impact the\nwhole cluster.\n\n*Status*: Alpha, anything can change at any time\n\n## Use case\nKubernetes cluster administrators have great power. This means that\na mistake they make could cause the cluster to become unhealthy or insecure and,\nas such, could impact any or all tenants sharing the cluster. Kubewire does not \nprevent mistakes but it is intended to notice modifications.\n\nCommon sources for such modifications are:\n* `kubectl create` on objects which define a wrong namespace\n* Wrong kubeconfig or a not defined namespace\n* Running tools which create object in different namespaces e.q. Helms Tiller is deployed to kube-system by default\n\nKubewire is not focused on hidden malicious acts and also does not keep any\nobject backed up. So it's best used together with an automated deployment/configuration\ntool which ensures that all global objects have the state you wish. Kubewire\njust ensures that no additional objects are created unintentionally.\n\n## Installation\nIn order to compile the latest version from source, do a\n```\ngo get -u github.com/postfinance/kubewire\n```\n\nPrecompiled binaries are available on [Github Releases](https://github.com/postfinance/kubewire/releases)\n\n## Usage\nBy default, all non-namespaced resources will be scanned. In addition to that,\nthe following namespaces are considered to hava a global effect, so the namespaced\nresources of them will also be scanned:\n- default\n- kube-system\n- kube-public\n\nThis list can be customized with the `--namespaces` flag.\n\n```\n$ kubewire snapshot \u003e baseline.yaml\n\n$ ./thisdoessomemagic\n\n$ kubewire diff --baseline=baseline.yaml\nElement                                                                 A                                        B\nScanStart                                                               2018-06-12 14:19:14.152560709 +0200 CEST 2018-06-14 10:22:18.083728367 +0200 CEST m=+0.028297121\nScanEnd                                                                 2018-06-12 14:19:42.870490496 +0200 CEST 2018-06-14 10:22:46.602422832 +0200 CEST m=+28.546991607\nResourceObjects.\" v1 namespaces  appl-shouldnotbehere\"                  does not exist                           exists\nResourceObjects.\" v1 secrets kube-system shouldnotbehere-token-rwmcl\"   does not exist                           exists\nResourceObjects.\" v1 serviceaccounts kube-system shouldnotbehere\"       does not exist                           exists\n```\n\n#### Other functions\nKubewire supports the following commands:\n\n```\n$ kubewire -h\n...\n  diff            Compare snapshots with another or a live cluster\n  help            Help about any command\n  resourceobjects List API resource objects\n  resources       List API resources\n  serverinfo      Prints server info\n  snapshot        Take a snapshot of cluster resources and objects\n```\n\nso you can use it to list or export an inventory of API resources and their objects.\nThe supported export formats are json and yaml.\n\nExample listings:\n```\n$ kubewire resources\nGroupVersion              Kind              Name               Namespaced  Verbs\nv1                        Binding           bindings           true        [create]\nv1                        ComponentStatus   componentstatuses  false       [get list]\nv1                        ConfigMap         configmaps         true        [create delete deletecollection get list patch update watch]\napps/v1beta1              Deployment        deployments        true        [create delete deletecollection get list patch update watch]\ncrd.projectcalico.org/v1  BGPConfiguration  bgpconfigurations  false       [delete deletecollection get list patch create update watch]\n...\n\n$ kubewire resourceobjects\nGroupVersion  Resource           Namespace    Name\nv1            componentstatuses               controller-manager\nv1            componentstatuses               etcd-0\nv1            componentstatuses               etcd-1\nv1            componentstatuses               etcd-2\nv1            componentstatuses               scheduler\nv1            configmaps         kube-system  calico-config\nv1            secrets            default      default-token-wsq94\nv1            secrets            kube-public  default-token-c5qs4\napps/v1       daemonsets         kube-system  calico-node\napps/v1       daemonsets         kube-system  ip-masq-agent\n...\n```\n\n### Kubeconfig\nkubewire detects if it is running in a Kubernetes cluster and uses the service account\nof the Pod if available. If this is not the case, it looks in the default kubectl\npaths for a kubeconfig. Both cases can be overriden by setting the 'kubeconfig' flag.\n\n### RBAC Rules\nkubewire needs permission to list all resource objects in a Kubernetes cluster.\nIt does not require to get the objects itself.\n\nAn example ClusterRole and ClusterRoleBinding is provided in the [rbac.yaml](deployment/rbac.yaml) file,\nwhich assumes that kubewire runs in a Pod as the service account `kubewire` in the\n`kube-system` namespace.\n\n## Requirements\nThis utility should work with any Kubernetes 1.7+ compatible cluster.\n\n## Next\n\n- [ ] Scan namespaced resources with global impact e.g. PodSecurityPolicy usages\n- [ ] Add example reports\n- [ ] Review ReportDiff format and make it more usable and readable\n- [ ] Add more tests\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fkubewire","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpostfinance%2Fkubewire","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpostfinance%2Fkubewire/lists"}