prowler-cloud/prowler

SSH Access to Kuberenetes clusters for K8S Scans via UI.

Open

#6.394 aberto em 8 de jan. de 2025

Ver no GitHub
 (3 comments) (3 reactions) (0 assignees)Python (1.322 forks)batch import
component/uifeature-requesthelp wanted

Métricas do repositório

Stars
 (8.957 stars)
Métricas de merge de PR
 (Mesclagem média 9d 17h) (314 fundiu PRs em 30d)

Description

New feature motivation

It is best practice to not expose Kubernetes API endpoints directly to the internet.

Solution Proposed

A common access method for remote teams is to access via a SSH bastion using Public/Private keys. The following example is from a recent CNCF hackathon run by ControlPlane, where teams were given access to the Kubernetes infra with the following SSH config:

Host bastion xx.xx.20.99
    Hostname xx.xx.20.99
    User player
    RequestTTY force
    ForwardAgent yes
    IdentityFile simulator_rsa
    UserKnownHostsFile simulator_known_hosts

In this example, all KubeCtl commands were run from the bastion terminal, but we could easily instead configure a port forward through the SSH tunnel allowing the prowler scanner to access the tunelled cluster through a modified kubeconfig.

Host bastion xx.xx.20.99
    Hostname xx.xx.20.99
    User bastion
    LocalForward 30001 customers.kubernetes.cluster:6443
    IdentityFile simulator_rsa
    UserKnownHostsFile simulator_known_hosts

With a Kubeconfig on the prowler side as follows:

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <redacted>
    #OLD server: https://customers.kubernetes.cluster:6443
    server: https://127.0.0.1:30001

Describe alternatives you've considered

  1. We could also offer an API endpoint with our infrastructure IP ranges, allowing users to programatically lock down their Kubernetes API endpoints to just those IP's used by the prowler SaaS infrastructure, similar to AWS's IP range JSON here: https://ip-ranges.amazonaws.com/ip-ranges.json
  2. We could also offer popular software-defined-vpn endpoints to allow prowler SaaS to take part as an endpoint in the customers VPN, for example, a tailscale connector which would then allow the customer to give 'Prowlers' endpoint on their VPN access to their Kubernetes API.

Additional context

No response

Guia do colaborador