KubeAPI-Inspector: Discover the secrets hidden in apis

A tool specifically designed for Kubernetes environments aims to efficiently and automatically discover hidden vulnerable APIs within clusters. It reveals and demonstrates a common error through a workshop format, which could lead to API endpoint authentication failures and potentially compromise the entire cluster. The workshop can be deployed using Kubernetes resource YAML files.

Features

• 【✅】Automatically parse OpenAPI to identify sensitive fields
• 【✅】Automatically detect potential authentication bypass APIs
• 【✅】Automatically load credentials from the environment

• 【 】Automatically discover services and detect potential vulnerabilities in extension API servers
• 【 】exploitation of known control plane components?

• 【✅】Flawed implementation of the REST layer

• 【 】Typical vulnerabilities involving operator controllers

1. golang>1.22
2. kubernetes and docker
3. linux-amd64, linux-arm

CWD: /repo/

1. use go build CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -o inspector cmd/inspector/main.go
2. or use docker to build docker build . -t inspector:latest

CWD: /repo/workshop/

1. setup a kubernetes cluster, maybe you should use minikube, e.g. minikube start --kubernetes-version='v1.23.17'
2. build workshop image with docker docker build . -t workshop-apiserver:latest
3. deploy etcd for workshop-apiserver cd workshop/examples/etcd && ./generate-certs.sh && deploy.sh
4. create workshop k8s resource cat examples/{namespace,apiserviceservice,workshop-apiserver-sa,workshop-apiserver-clusterrolebinding,workshop-apiserver-deployment}.yaml | kubectl apply -f -
5. create demo cluster resource and tenant accounts kubectl apply -f examples/tenant

1. download binary in pod
2. run binary ./inspector

1. ./inspector -kubeconfig path/to/kubeconfig
2. test other namespace ./inspector -kubeconfig path/to/kubeconfig -namespace kube-system
3. skip sensitive field test ./inspector -kubeconfig path/to/kubeconfig -skipCheckSensitiveField=true

Download