{"id":26211719,"url":"https://github.com/snailsploit/kuberoast","last_synced_at":"2025-07-26T03:09:46.264Z","repository":{"id":280025226,"uuid":"940780830","full_name":"SnailSploit/Kuberoast","owner":"SnailSploit","description":"a lightweight, pentester-oriented tool for Kubernetes \u0026 container misconfiguration scanning**. It enumerates pods, deployments, RBAC settings, secrets, and nodes to highlight common risks like:","archived":false,"fork":false,"pushed_at":"2025-02-28T20:06:51.000Z","size":27,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-12T08:35:37.668Z","etag":null,"topics":["kuebernetes","penetration-testing-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SnailSploit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-28T19:26:36.000Z","updated_at":"2025-02-28T20:06:54.000Z","dependencies_parsed_at":"2025-02-28T22:59:29.947Z","dependency_job_id":"197d46f0-b95b-481f-88a7-fb89eef373fa","html_url":"https://github.com/SnailSploit/Kuberoast","commit_stats":null,"previous_names":["snailsploit/kuberoast"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/SnailSploit/Kuberoast","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKuberoast","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKuberoast/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKuberoast/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKuberoast/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SnailSploit","download_url":"https://codeload.github.com/SnailSploit/Kuberoast/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SnailSploit%2FKuberoast/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267110004,"owners_count":24037632,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-26T02:00:08.937Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kuebernetes","penetration-testing-tools"],"created_at":"2025-03-12T08:28:53.107Z","updated_at":"2025-07-26T03:09:46.222Z","avatar_url":"https://github.com/SnailSploit.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"Kuberoast\n---\nKuberoast is a lightweight, \npentester-oriented tool for Kubernetes \u0026 container misconfiguration scanning.\nIt enumerates pods, deployments, RBAC settings, secrets, and nodes to highlight common risks like:\n---\n- Privileged containers  \n- Containers allowed to run as root  \n- Host network/IPC usage  \n- Insecure or missing security contexts (read-only root FS, dropped capabilities, etc.)  \n- Overly broad RBAC bindings (e.g., cluster-admin for wildcard subjects)  \n- Base64-decoded secrets possibly containing passwords or tokens  \n- Kubelet insecure ports or anonymous API server access  \n- _(Optional)_ **Privilege escalation** attempts by checking if a privileged pod can access the host filesystem  \n---\n## Features\n- **Lightweight \u0026 Focused**: Ideal for quick checks or red-team engagements.  \n- **Pentest-Centric**: Emphasizes misconfigurations that enable lateral movement or cluster takeovers.  \n- **Extensible**: Written in Python; easy to add custom checks.  \n---\n## Installation\n\n1. Clone this repo:\n\n   ```bash\n   git clone https://github.com/snailsploit/Kuberoast.git\n   cd Kuberoast\n   ```\n#This installs the kubernetes and requests libraries required by Kuberoast.\n\n##Usage\n```bash\npython main.py [OPTIONS]\n```\n\n##Common Options\n```bash\n--report-format \u003cjson|text\u003e\n```\n#Output results in JSON (default) or a simplified text format.\n\n```bash\n--skip-secrets\n```\n3Skip listing and decoding Secrets. Useful if your RBAC does not allow it or if you want to avoid sensitive data.\n\n```bash\n--skip-nodes\n```\n3Skip enumerating Nodes and checking for insecure Kubelet ports.\n\n```bash\n--exploit-namespace \u003cnamespace\u003e\n```\n#Specify a namespace for the privilege escalation check.\n\n```bash\n--exploit-pod \u003cpod\u003e\n```\n#Specify a pod name for the privilege escalation check. If both this and --exploit-namespace are provided, Kuberoast attempts to see if the container can access /host/root.\n\n##Example Commands\n#Basic All-in-One Scan (no exploitation attempt):\n\n```bash\npython main.py\n```\n\nText-Based Output:\n\n```bash\npython main.py --report-format text\n```\nSkip Secrets \u0026 Node Checks (limited RBAC):\n\n```bash\npython main.py --skip-secrets --skip-nodes\n```\nPrivilege Escalation Attempt:\n\n```bash\n\npython main.py \\\n    --exploit-namespace default \\\n    --exploit-pod my-privileged-pod\n```\nIf /host/root is mounted inside my-privileged-pod, Kuberoast will detect potential host-level file access.\n\n##Sample JSON Output\n```json\n{\n  \"privileged_containers\": [\n    {\n      \"namespace\": \"default\",\n      \"pod\": \"test-pod\",\n      \"container\": \"app\",\n      \"issue\": \"Privileged container\"\n    }\n  ],\n  \"kubelet_insecure\": [\n    {\n      \"node\": \"node1\",\n      \"ip\": \"10.0.0.1\",\n      \"port\": 10255,\n      \"issue\": \"Kubelet read-only/insecure port is open\"\n    }\n  ]\n}\n```\n\n\n##How It Works\n#Enumeration:\n- Kuberoast lists Pods, Deployments, DaemonSets, RBAC objects (Roles, ClusterRoles, Bindings), and (optionally) Secrets and Nodes.\n---\n##Checks:\n- Pod Security: Identifies privileged containers, root containers, host networking, missing read-only FS, etc.\n- RBAC: Looks for cluster-admin privileges assigned to wildcard groups/users.\n- Secrets: Decodes base64 data and flags suspicious keywords.\n- Kubelet Ports: Probes node IPs for insecure read-only ports (default 10255).\n- Privilege Escalation (optional): Executes a simple command to see if the pod can list /host/root.\n- Reporting: Generates a JSON or text-based report summarizing findings.\n---\n##Disclaimers\n- Authorization: Use Kuberoast only on clusters you have explicit permission to test.\n- BAC: Some checks (e.g., enumerating Secrets) require cluster-wide permissions. If you lack them, certain checks will fail gracefully.\n- privilege Escalation: Attempting to list /host/root can reveal real host files if the pod is truly privileged with a host mount. Use responsibly and with consent.\n- contributing\n- Fork this repository.\n- Create a feature branch (git checkout -b new-feature).\n- Commit your changes (git commit -m \"Add some feature\").\n- Push to your branch (git push origin new-feature).\n- Create a Pull Request against the main repo.\n#We welcome bug reports, feature requests, and pull requests.\n---\n##License\n#Kuberoast is released under the MIT License. Feel free to modify and distribute under the same license terms.\n\n#Happy Pentesting!\n\n\n---\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnailsploit%2Fkuberoast","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnailsploit%2Fkuberoast","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnailsploit%2Fkuberoast/lists"}