K8s-mirror
Why?
To enable high-fidelity, offline review of Kubernetes clusters as a part of Darkbit's cloud and Kubernetes security consulting services offerings, a simple script to export all K8s resources from a cluster was developed. A modified version of this script is included in this repository as kube-exporter.sh
.
The original goal of this export format was to support ingestion by the OpenCSPM analysis platform. However, there are instances where analysis is best performed with a quick run of kubectl
. Without having direct access to a client's cluster, a "mirror" cluster is needed.
What?
Using the kube-exporter.sh
in this repo, all the resources in a target cluster are exported to a local, new-line delimited json format. To view, this data, another instance of etcd and the kube-apiserver are needed, so that's what is baked into the container specified by this Dockerfile. The idea is that a local docker container running just the barebones components needed can be populated with the raw exported data directly into etcd.
How?
- Clone the repository
- Run
kube-exporter.sh
against the target cluster. It's output file should be named<kubecontext_name>.json
. - Copy
<kubecontext_name>.json
todata/import.json
- Modify the
Dockerfile
to use the correctK8S_VERSION
- Run
make build
to build the docker container. - Run
make run
to launch the "mirror" cluster container. This container runs etcd, loads the data from/data/import.json
into etcd, and then launches an insecure API server. That is, it runs without TLS, listens onlocalhost:31337
and requires a simple token for authentication ascluster-admin
. - Run
export KUBECONFIG=kubeconfig.honk
- Run
kubectl get pods -A
to query for pods in the "mirror" cluster container. - When done, kill the container to clean up.
Warning!
This is a working proof of concept and "pre-alpha" quality. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.