|
1 | 1 | from argparse import ArgumentParser |
2 | 2 | import engine.utils |
| 3 | +import engine.privleged_containers |
3 | 4 | from prettytable import PrettyTable |
4 | 5 | from engine.priority import Priority |
5 | 6 | from misc.colours import * |
@@ -305,6 +306,26 @@ def print_pods_with_access_secret_via_environment(namespace=None): |
305 | 306 |
|
306 | 307 | print_table_aligned_left(t) |
307 | 308 |
|
| 309 | +def parse_security_context(security_context): |
| 310 | + context = '' |
| 311 | + if security_context: |
| 312 | + dict = security_context.to_dict() |
| 313 | + for key in dict.keys(): |
| 314 | + if dict[key] is not None: |
| 315 | + context += '{0}: {1}\n'.format(key, dict[key]) |
| 316 | + return context |
| 317 | + |
| 318 | +def print_privileged_containers(namespace=None): |
| 319 | + print("+---------------------+") |
| 320 | + print("|Privileged Containers|") |
| 321 | + t = PrettyTable(['Pod', 'Namespace', 'Pod Security Context', 'Container', 'Container Security Context']) |
| 322 | + pods = engine.privleged_containers.get_privileged_containers(namespace) |
| 323 | + for pod in pods: |
| 324 | + for container in pod.spec.containers: |
| 325 | + t.add_row([pod.metadata.name, pod.metadata.namespace, parse_security_context(pod.spec.security_context), container.name, parse_security_context(container.security_context)]) |
| 326 | + |
| 327 | + print_table_aligned_left(t) |
| 328 | + |
308 | 329 | def print_join_token(): |
309 | 330 | import os |
310 | 331 | from api.api_client import running_in_docker_container |
@@ -356,7 +377,7 @@ def print_logo(): |
356 | 377 | -osssssssssssssssssssssssssssss- |
357 | 378 | `/ssssssssssssssssssssssssss/` |
358 | 379 | |
359 | | - KubiScan version 1.1 |
| 380 | + KubiScan version 1.2 |
360 | 381 | Author: Eviatar Gerzi |
361 | 382 | ''' |
362 | 383 | print(logo) |
@@ -398,7 +419,7 @@ def main(): |
398 | 419 | 'Use the -d\--deep switch to read the tokens from the current running containers', required=False) |
399 | 420 | opt.add_argument('-d', '--deep', action='store_true', help='Works only with -rp\--risky-pods switch. If this is specified, it will execute each pod to get its token.\n' |
400 | 421 | 'Without it, it will read the pod mounted service account secret from the ETCD, it less reliable but much faster.', required=False) |
401 | | - |
| 422 | + opt.add_argument('-pp', '--privleged-pods', action='store_true', help='Get all privileged Pods\Containers.', required=False) |
402 | 423 | opt.add_argument('-a', '--all', action='store_true',help='Get all risky Roles\ClusterRoles, RoleBindings\ClusterRoleBindings, users and pods\containers', required=False) |
403 | 424 |
|
404 | 425 | opt.add_argument('-jt', '--join-token', action='store_true', help='Get join token for the cluster. OpenSsl must be installed + kubeadm', required=False) |
@@ -498,6 +519,8 @@ def main(): |
498 | 519 | print_all_risky_containers(priority=args.priority, namespace=args.namespace, read_token_from_container=args.deep) |
499 | 520 | if args.all: |
500 | 521 | print_all(days=args.less_than, priority=args.priority, read_token_from_container=args.deep) |
| 522 | + elif args.privleged_pods: |
| 523 | + print_privileged_containers(namespace=args.namespace) |
501 | 524 | elif args.join_token: |
502 | 525 | print_join_token() |
503 | 526 | elif args.pods_secrets_volume: |
|
0 commit comments