Awesome
K8s-mirror
Why?
To enable high-fidelity, offline review of Kubernetes clusters as a part of Darkbit's cloud and Kubernetes security consulting services offerings, a simple script to export all K8s resources from a cluster was developed. A modified version of this script is included in this repository as kube-exporter.sh.
The original goal of this export format was to support ingestion by the OpenCSPM analysis platform. However, there are instances where analysis is best performed with a quick run of kubectl. Without having direct access to a client's cluster, a "mirror" cluster is needed.
What?
Using the kube-exporter.sh in this repo, all the resources in a target cluster are exported to a local, new-line delimited json format. To view, this data, another instance of etcd and the kube-apiserver are needed, so that's what is baked into the container specified by this Dockerfile. The idea is that a local docker container running just the barebones components needed can be populated with the raw exported data directly into etcd.
How?
- Clone the repository
- Run
kube-exporter.shagainst the target cluster. It's output file should be named<kubecontext_name>.json. - Copy
<kubecontext_name>.jsontodata/import.json - Modify the
Dockerfileto use the correctK8S_VERSION - Run
make buildto build the docker container. - Run
make runto launch the "mirror" cluster container. This container runs etcd, loads the data from/data/import.jsoninto etcd, and then launches an insecure API server. That is, it runs without TLS, listens onlocalhost:31337and requires a simple token for authentication ascluster-admin. - Run
export KUBECONFIG=kubeconfig.honk - Run
kubectl get pods -Ato query for pods in the "mirror" cluster container. - When done, kill the container to clean up.
Warning!
This is a working proof of concept and "pre-alpha" quality. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.