kubearmor / k8tls Goto Github PK
View Code? Open in Web Editor NEWk8tls (pronounced cattles), to assess server port security by detecting its TLS and certificates configuration.
License: Apache License 2.0
k8tls (pronounced cattles), to assess server port security by detecting its TLS and certificates configuration.
License: Apache License 2.0
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
Dockerfile
ubuntu 22.04
.github/workflows/ci-docker-release.yml
actions/checkout v3
docker/setup-qemu-action v2
docker/setup-buildx-action v2
docker/login-action v2
docker/build-push-action v4
docker/build-push-action v4
With KubeTLS it should be possible to enlist all the container ports on the current system and check the TLS posture.
Changes to generate JSON Report in single line so that Fluent-Bit can send this report to external entities in one go. Or we end up sending the data line by line.
It will be important to explain the differentiation.
TLDR; This project differentiates itself by automating k8s service port scanning for security settings, TLS config, and certificate config.
Tasks:
Currently k8tls can only scan/verify Kubernetes Service so extend it to support following:
Currently k8tls reports mostly for east-west traffic based on k8s services.
However, the external traffic is delivered through virtualservices, gateways, and ingress controllers. It should be possible to scan these endpoints using k8tls and will be more valuable.
❯ k get virtualservices.networking.istio.io -A
NAMESPACE NAME GATEWAYS HOSTS AGE
accuknox-dev-divy divy-virtual-service ["istio-system/divy-gateway"] ["cspm.dev.accuknox.com"] 132d
accuknox-dev-divy divy-wildcard-virtual-service ["istio-system/divy-wildcard-gateway"] ["*.cspm.dev.accuknox.com"] 57d
accuknox-dev-saltstack saltmaster-virtual-service ["saltmaster-gateway"] ["*"] 110d
accuknox-dev-soarcast redis-virtual-service ["redis-gateway"] ["redis.dev.accuknox.com"] 132d
istio-system api-dev-accuknox-com-virtual-svc ["dev-gateway"] ["cwpp.dev.accuknox.com"] 132d
wildcard-test nginx-virtual-service ["istio-system/nginx-gateway"] ["test.wild-test.accuknox.com"] 63d
❯ k get gw -A
NAMESPACE NAME AGE
accuknox-dev-saltstack saltmaster-gateway 110d
accuknox-dev-soarcast redis-gateway 132d
istio-system dev-gateway 132d
istio-system divy-gateway 62d
istio-system divy-wildcard-gateway 57d
wildcard-test nginx-gateway 63d
❯ k get gw -n istio-system divy-wildcard-gateway -o yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.istio.io/v1beta1","kind":"Gateway","metadata":{"annotations":{},"name":"divy-wildcard-gateway","namespace":"istio-system"},"spec":{"selector":{"app":"istio-ingressgateway"},"servers":[{"hosts":["*.cspm.dev.accuknox.com"],"port":{"name":"https","number":443,"protocol":"HTTPS"},"tls":{"credentialName":"dev-cspm-wildcard","mode":"SIMPLE"}}]}}
creationTimestamp: "2023-11-21T10:55:58Z"
generation: 1
name: divy-wildcard-gateway
namespace: istio-system
resourceVersion: "223430089"
uid: 7ca6f02a-b95a-4822-91fa-adaa0beb1a06
spec:
selector:
app: istio-ingressgateway
servers:
- hosts:
- '*.cspm.dev.accuknox.com'
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: dev-cspm-wildcard
mode: SIMPLE
Status | Count |
---|---|
certificate has expired | 2 |
self-signed certificate | 10 |
insecure port used | 20 |
failed connections | 5 |
all checks ok | 25 |
TOTAL | 62 |
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.