Skip to content
This repository has been archived by the owner on Mar 1, 2023. It is now read-only.

Latest commit

 

History

History
27 lines (18 loc) · 2.13 KB

README.md

File metadata and controls

27 lines (18 loc) · 2.13 KB

K8s-mirror

Why?

To enable high-fidelity, offline review of Kubernetes clusters as a part of Darkbit's cloud and Kubernetes security consulting services offerings, a simple script to export all K8s resources from a cluster was developed. A modified version of this script is included in this repository as kube-exporter.sh.

The original goal of this export format was to support ingestion by the OpenCSPM analysis platform. However, there are instances where analysis is best performed with a quick run of kubectl. Without having direct access to a client's cluster, a "mirror" cluster is needed.

What?

Using the kube-exporter.sh in this repo, all the resources in a target cluster are exported to a local, new-line delimited json format. To view, this data, another instance of etcd and the kube-apiserver are needed, so that's what is baked into the container specified by this Dockerfile. The idea is that a local docker container running just the barebones components needed can be populated with the raw exported data directly into etcd.

How?

  • Clone the repository
  • Run kube-exporter.sh against the target cluster. It's output file should be named <kubecontext_name>.json.
  • Copy <kubecontext_name>.json to data/import.json
  • Modify the Dockerfile to use the correct K8S_VERSION
  • Run make build to build the docker container.
  • Run make run to launch the "mirror" cluster container. This container runs etcd, loads the data from /data/import.json into etcd, and then launches an insecure API server. That is, it runs without TLS, listens on localhost:31337 and requires a simple token for authentication as cluster-admin.
  • Run export KUBECONFIG=kubeconfig.honk
  • Run kubectl get pods -A to query for pods in the "mirror" cluster container.
  • When done, kill the container to clean up.

Warning!

This is a working proof of concept and "pre-alpha" quality. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.