kubewire

command module

v0.1.0 Latest Latest Go to latest Published: Jun 27, 2018 License: MIT Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/postfinance/kubewire

Links

Open Source Insights

README ¶

kubewire

kubewire is a Kubernetes integrity checker which acts as a tripwire for global Kubernetes resources or namespaced resources which could impact the whole cluster.

Status: Alpha, anything can change at any time

Use case

Kubernetes cluster administrators have great power. This means that a mistake they make could cause the cluster to become unhealthy or insecure and, as such, could impact any or all tenants sharing the cluster. Kubewire does not prevent mistakes but it is intended to notice modifications.

Common sources for such modifications are:

kubectl create on objects which define a wrong namespace
Wrong kubeconfig or a not defined namespace
Running tools which create object in different namespaces e.q. Helms Tiller is deployed to kube-system by default

Kubewire is not focused on hidden malicious acts and also does not keep any object backed up. So it's best used together with an automated deployment/configuration tool which ensures that all global objects have the state you wish. Kubewire just ensures that no additional objects are created unintentionally.

Installation

In order to get the latest version, do

go get -u github.com/postfinance/kubewire

You should hava a working Go installation.

Precompiled binaries will be provided soon for the common platforms.

Usage

By default, all non-namespaced resources will be scanned. In addition to that, the following namespaces are considered to hava a global effect, so the namespaced resources of them will also be scanned:

default
kube-system
kube-public

This list can be customized with the --namespaces flag.

$ kubewire snapshot > baseline.yaml

$ ./thisdoessomemagic

$ kubewire diff --baseline=baseline.yaml
Element                                                                 A                                        B
ScanStart                                                               2018-06-12 14:19:14.152560709 +0200 CEST 2018-06-14 10:22:18.083728367 +0200 CEST m=+0.028297121
ScanEnd                                                                 2018-06-12 14:19:42.870490496 +0200 CEST 2018-06-14 10:22:46.602422832 +0200 CEST m=+28.546991607
ResourceObjects." v1 namespaces  appl-shouldnotbehere"                  does not exist                           exists
ResourceObjects." v1 secrets kube-system shouldnotbehere-token-rwmcl"   does not exist                           exists
ResourceObjects." v1 serviceaccounts kube-system shouldnotbehere"       does not exist                           exists

Kubeconfig

kubewire detects if it is running in a Kubernetes cluster and uses the service account of the Pod if available. If this is not the case, it looks in the default kubectl paths for a kubeconfig. Both cases can be overriden by setting the 'kubeconfig' flag.