Skip to content

Credential and sensitive information harvester for kubernetes environments.

License

Notifications You must be signed in to change notification settings

sleventyeleven/Kubernetes-Harvester

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kubernetes-Harvester

Overview

harvester.py is a fairly simple script that attempt to utilize the automountservicetoken or ~/.kube/config credentials to request all pod specs from kubernetes.

The each pod spec's container(s) environment variables are then reviewed for key words which could indicate potential credentials.

The script then goes further to similar examine any configmaps loaded into a containers Env and also reviews the Env hardcoded with the image manifest.

Finally it checks to see if auth tokens for the main cloud providers can be requested via the metadata API.

Basic Usage

usage: harvester.py [-h] [-v] [-w] [-o OUTFILE]

Try to gather potential creds from kubernetes

optional arguments:

-h, --help show this help message and exit

-v, --verbose Whether or not to display additional log information

-w, --write Whether to write a log file, can be used with -0 to specify name/location

-o OUTFILE, --outfile OUTFILE The file to write results (needs to be writable for current user)

TODO

  • Enhance configmap code to include nested maps and function loads like container envFrom
  • Review command history for other interesting files that might be embedded within the image

About

Credential and sensitive information harvester for kubernetes environments.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published