Add support for pods, statefulsets and daemonsets

- change command to "kubectl plugin scan [pod|deployment|statefulset|daemonset]/name"
- ref #2

Author: stefanprodan

README.md

@@ -1,22 +1,22 @@
 # kubectl-kubesec
 
-This is a kubectl plugin for scanning Kubernetes deployments with [kubesec.io](https://kubesec.io)
+This is a kubectl plugin for scanning Kubernetes pods, deployments, daemonsets and statefulsets with [kubesec.io](https://kubesec.io)
 
 ### Install
 
 Download and extract the scan plugin to `~/.kube/plugins/scan`:
 
 ```bash
 mkdir -p ~/.kube/plugins/scan && \
-curl -sL https://github.com/stefanprodan/kubectl-kubesec/releases/download/0.1.0/kubectl-kubesec_0.1.0_`uname -s`_amd64.tar.gz | tar xzvf - -C ~/.kube/plugins/scan
+curl -sL https://github.com/stefanprodan/kubectl-kubesec/releases/download/0.1.0/kubectl-kubesec_0.2.0_`uname -s`_amd64.tar.gz | tar xzvf - -C ~/.kube/plugins/scan
 ```
 
 ### Usage
 
-Scan a deployment:
+Scan a Deployment:
 
 ```bash
-kubectl -n kube-system plugin scan kubernetes-dashboard
+kubectl -n kube-system plugin scan deployment/kubernetes-dashboard
 ```
 
 Result:
@@ -36,3 +36,72 @@ Run as a high-UID user to avoid conflicts with the host's user table
 5. containers[] .securityContext .capabilities .drop | index("ALL")
 Drop all capabilities and add only those required to reduce syscall attack surface
 ```
+
+Scan a DaemonSet:
+
+```bash
+kubectl -n weave plugin scan daemonset/weave-scope-agent
+```
+
+Result:
+
+```
+daemonset/weave-scope-agent kubesec.io score -54
+-----------------
+Critical
+1. containers[] .securityContext .privileged == true
+Privileged containers can allow almost completely unrestricted host access
+2. .spec .hostNetwork
+Sharing the host's network namespace permits processes in the pod to communicate with processes bound to the host's loopback adapter
+3. .spec .hostPID
+Sharing the host's PID namespace allows visibility of processes on the host, potentially leaking information such as environment variables and configuration
+4. .spec .volumes[] .hostPath .path == "/var/run/docker.sock"
+Mounting the docker.socket leaks information about other containers and can allow container breakout
+```
+
+Scan a StatefulSet:
+
+```bash
+kubectl plugin scan statefulset/memcached
+```
+
+Result:
+
+```
+statefulset/memcached kubesec.io score 2
+-----------------
+Advise
+1. .spec .volumeClaimTemplates[] .spec .accessModes | index("ReadWriteOnce")
+2. containers[] .securityContext .runAsNonRoot == true
+Force the running image to run as a non-root user to ensure least privilege
+3. containers[] .securityContext .capabilities .drop
+Reducing kernel capabilities available to a container limits its attack surface
+4. containers[] .securityContext .readOnlyRootFilesystem == true
+An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost
+5. containers[] .securityContext .runAsUser > 10000
+Run as a high-UID user to avoid conflicts with the host's user table
+```
+
+Scan a Pod:
+
+```bash
+kubectl -n kube-system plugin scan pod/tiller-deploy-5c688d5f9b-ztjbt
+```
+
+Result:
+
+```
+pod/tiller-deploy-5c688d5f9b-ztjbt kubesec.io score 3
+-----------------
+Advise
+1. containers[] .securityContext .runAsNonRoot == true
+Force the running image to run as a non-root user to ensure least privilege
+2. containers[] .securityContext .capabilities .drop
+Reducing kernel capabilities available to a container limits its attack surface
+3. containers[] .securityContext .readOnlyRootFilesystem == true
+An immutable root filesystem can prevent malicious binaries being added to PATH and increase attack cost
+4. containers[] .securityContext .runAsUser > 10000
+Run as a high-UID user to avoid conflicts with the host's user table
+5. containers[] .securityContext .capabilities .drop | index("ALL")
+Drop all capabilities and add only those required to reduce syscall attack surface
+```

kubesec.go

@@ -0,0 +1,96 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"mime/multipart"
+	"net/http"
+)
+
+type KubesecResult struct {
+	Score   int `json:"score"`
+	Scoring struct {
+		Critical []struct {
+			Selector string `json:"selector"`
+			Reason   string `json:"reason"`
+			Weight   int    `json:"weight"`
+		} `json:"critical"`
+		Advise []struct {
+			Selector string `json:"selector"`
+			Reason   string `json:"reason"`
+			Href     string `json:"href,omitempty"`
+		} `json:"advise"`
+	} `json:"scoring"`
+}
+
+func (r *KubesecResult) print(resource string) {
+	fmt.Println(fmt.Sprintf("%v kubesec.io score %v", resource, r.Score))
+	fmt.Println("-----------------")
+	if len(r.Scoring.Critical) > 0 {
+		fmt.Println("Critical")
+		for i, el := range r.Scoring.Critical {
+			fmt.Println(fmt.Sprintf("%v. %v", i+1, el.Selector))
+			if len(el.Reason) > 0 {
+				fmt.Println(el.Reason)
+			}
+
+		}
+		fmt.Println("-----------------")
+	}
+	if len(r.Scoring.Advise) > 0 {
+		fmt.Println("Advise")
+		for i, el := range r.Scoring.Advise {
+			fmt.Println(fmt.Sprintf("%v. %v", i+1, el.Selector))
+			if len(el.Reason) > 0 {
+				fmt.Println(el.Reason)
+			}
+		}
+	}
+}
+
+func getResult(definition bytes.Buffer) (*KubesecResult, error) {
+
+	bodyBuf := &bytes.Buffer{}
+	bodyWriter := multipart.NewWriter(bodyBuf)
+
+	fileWriter, err := bodyWriter.CreateFormFile("uploadfile", "object.yaml")
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = io.Copy(fileWriter, &definition)
+	if err != nil {
+		return nil, err
+	}
+
+	contentType := bodyWriter.FormDataContentType()
+	bodyWriter.Close()
+
+	resp, err := http.Post("https://kubesec.io/", contentType, bodyBuf)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(body) < 1 {
+		return nil, errors.New("unknown result")
+	}
+
+	var result KubesecResult
+	err = json.Unmarshal(body, &result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}