prowler-cloud/prowler

SSH Access to Kuberenetes clusters for K8S Scans via UI.

Open

#6,394 建立於 2025年1月8日

在 GitHub 查看
 (3 留言) (3 反應) (0 負責人)Python (1,322 fork)batch import
component/uifeature-requesthelp wanted

倉庫指標

Star
 (8,957 star)
PR 合併指標
 (平均合併 9天 17小時) (30 天內合併 314 個 PR)

描述

New feature motivation

It is best practice to not expose Kubernetes API endpoints directly to the internet.

Solution Proposed

A common access method for remote teams is to access via a SSH bastion using Public/Private keys. The following example is from a recent CNCF hackathon run by ControlPlane, where teams were given access to the Kubernetes infra with the following SSH config:

Host bastion xx.xx.20.99
    Hostname xx.xx.20.99
    User player
    RequestTTY force
    ForwardAgent yes
    IdentityFile simulator_rsa
    UserKnownHostsFile simulator_known_hosts

In this example, all KubeCtl commands were run from the bastion terminal, but we could easily instead configure a port forward through the SSH tunnel allowing the prowler scanner to access the tunelled cluster through a modified kubeconfig.

Host bastion xx.xx.20.99
    Hostname xx.xx.20.99
    User bastion
    LocalForward 30001 customers.kubernetes.cluster:6443
    IdentityFile simulator_rsa
    UserKnownHostsFile simulator_known_hosts

With a Kubeconfig on the prowler side as follows:

apiVersion: v1
kind: Config
clusters:
- cluster:
    certificate-authority-data: <redacted>
    #OLD server: https://customers.kubernetes.cluster:6443
    server: https://127.0.0.1:30001

Describe alternatives you've considered

  1. We could also offer an API endpoint with our infrastructure IP ranges, allowing users to programatically lock down their Kubernetes API endpoints to just those IP's used by the prowler SaaS infrastructure, similar to AWS's IP range JSON here: https://ip-ranges.amazonaws.com/ip-ranges.json
  2. We could also offer popular software-defined-vpn endpoints to allow prowler SaaS to take part as an endpoint in the customers VPN, for example, a tailscale connector which would then allow the customer to give 'Prowlers' endpoint on their VPN access to their Kubernetes API.

Additional context

No response

貢獻者指南