Ajinkya kubernetes prevention #128
Conversation
| 4. **Check the network mode of each task definition:** | ||
|
|
||
| ```python | ||
| for task_definition in response['taskDefinitionArns']: |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| settings=[ | ||
| { | ||
| 'name': 'containerInsights', | ||
| 'value': 'enabled' |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ``` | ||
|
|
||
| 4. **Check if Container Insights is enabled:** | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| # Create a session using your AWS credentials | ||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_AWS_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_AWS_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| task_def = ecs_client.describe_task_definition(taskDefinition=task['taskDefinitionArn']) | ||
| if 'user' in task_def['taskDefinition']['containerDefinitions'][0] and task_def['taskDefinition']['containerDefinitions'][0]['user'] == 'root': | ||
| print(f"Task {task['taskArn']} is running as root") | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| import boto3 | ||
|
|
||
| aws_access_key_id = 'YOUR_ACCESS_KEY' | ||
| aws_secret_access_key = 'YOUR_SECRET_KEY' |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ) | ||
| kubernetes_client = KubernetesClient(credentials, 'YOUR_SUBSCRIPTION_ID') | ||
|
|
||
| def check_pod_permissions(): |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| if pod.spec.host_network: | ||
| # Check permissions here | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| ```python | ||
| session = boto3.Session(aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ```python | ||
| credentials = ServicePrincipalCredentials( | ||
| client_id='YOUR_CLIENT_ID', | ||
| secret='YOUR_SECRET', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| print(f"Access point {ap['AccessPointId']} in file system {fs['FileSystemId']} does not enforce root directory.") | ||
| ``` | ||
|
|
||
| This script will print out the IDs of all access points that do not enforce the root directory. |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ``` | ||
|
|
||
| 4. Interpret the results: The script will print out the names of all repositories and whether they have a lifecycle policy. If a repository does not have a lifecycle policy, the script will raise a `LifecyclePolicyNotFoundException`, which we catch and print a message. This way, you can easily see which repositories are misconfigured. | ||
| </Accordion> |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| print(f"Enabled image scanning for repository: {repo_name}") | ||
|
|
||
| if __name__ == "__main__": | ||
| enable_image_scanning() |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| # Create a session using your AWS credentials | ||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_AWS_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_AWS_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| if __name__ == '__main__': | ||
| check_eks_logging() | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| ```bash | ||
| export AWS_ACCESS_KEY_ID='your_access_key' | ||
| export AWS_SECRET_ACCESS_KEY='your_secret_key' |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| cluster_info = eks.describe_cluster(name=cluster)['cluster'] | ||
| if cluster_info['version'] < latest_stable_version: | ||
| print(f"Cluster: {cluster} is not using the latest stable version of Kubernetes") | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| import boto3 | ||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| # If there is any rule that allows traffic on a port other than 443, print a warning | ||
| if permission['FromPort'] != 443 or permission['ToPort'] != 443: | ||
| print(f'Security group {sg_id} allows traffic on port {permission["FromPort"]}-{permission["ToPort"]}') | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| # Create a session using your AWS credentials | ||
| session = boto3.Session( | ||
| aws_access_key_id='YOUR_ACCESS_KEY', | ||
| aws_secret_access_key='YOUR_SECRET_KEY', |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
No description provided.