host verification script
Click here to view navigation pane

Host Verification Script

# Product:  Qualys(R)
# Subject:  Kubernetes Compliance Scan - Privilege checker script
# Filename: Kubernetes_Scan_Privileges
# Date:     2022/14/02
# This script can help you to identify whether all the appropriate privileges have been setup correctly before scaning Kubernetes
#  1. This Script should be executed by root user.
#  2. Whether kubectl command line utility is installed with root user and their installation directory is been added to the PATH Enviornment Variable.
#  3. Checking kube-apiserver process running state to identify whether your node is a master node or checking the kubelet process to identify whether your node is a worker node, otherwise your node will be identified as non-worker node and then kubectl configuration files /root/.kube/config or /etc/Kubernetes/admin.conf or kubelet config file existence will check accordingly in an order.
# This script will generate output whether your node is a worker node, master node or non-worker node. It also show the msg like "All the prerequisites steps are satisfying to scan kubernetes", if all of the stated privileges will setup properly, if any one of the privilege missing, then you will get a message as an output which will notify you to set specific privilege.

#Checking whethet Configuration files exist on the host to be used with kubectl command execution to get connect to the cluster
Check_file_existence() {
         if [  -z "$kube_ver_cmd1" ]; then
           if [ -z "$kube_ver_cmd2" ]; then
             if [ -n "$kubelet_kubeconfig" ]; then
                if [ -z "$kube_ver_cmd3" ]; then
                   echo "/root/.kube/config or /etc/Kubernetes/admin.conf or kubelet config file, none of these files exist"
                else
                   echo "All the prerequisites steps are satisfying to scan kubernetes"
                fi
             else
                echo "/root/.kube/config or /etc/Kubernetes/admin.conf or kubelet config file, none of these files exist"
             fi

           else echo "All the prerequisites steps are satisfying to scan kubernetes"
           fi
         else echo "All the prerequisites steps are satisfying to scan kubernetes"
         fi
}
os=`uname -a`
if [[ "$os" == "SunOS"* ]]; then
  echo "Unsupported Operating System"
  exit
elif [[ "$os" == "FreeBSD"* ]]; then
  echo "Unsupported Operating System"
  exit
elif [[ "$os" == "AIX"* ]]; then
  echo "Unsupported Operating System"
  exit
else
  #Checking whether the logged on user is root
  user=`whoami 2>/dev/null`
  if [ "$user" != "root" ]; then
    echo "root user login is required or else run the script with sudo"
    exit
  fi
  #Checking kubectl installation
  kube_ctl=`which kubectl 2>/dev/null`
  if [ -z "$kube_ctl" ]; then
    echo "kubectl command line utility is not installed"
    exit
  else
     parent_dir=`echo $kube_ctl | sed -e 's/\/kubectl$//g'`
     #Checking kubectl executable file ownership
     perm=`ls -l $kube_ctl 2>/dev/null | grep -E "^[-]r\Sxr-xr-x.*root root"`
     if [ -z "$perm" ]; then
       echo "kubectl executable file is not owned by root"
       exit
     else
        #Checking kubectl executable parent directory ownership
        parent_perm=`ls -ld $parent_dir 2>/dev/null | grep -E "^[d]r\Sxr-xr-x.*root root"`
        if [ -z "$parent_perm" ]; then
          echo "kubectl executable parent directory is not owned by root"
          exit
        else
        #Checking whether kubectl command runnable in Path Enviornment
          path=`echo $PATH`
          if [[ "$path" != *"$parent_dir"* ]]; then
            echo "kubectl path is not been added in PATH enviornment"
            exit
          else
            kubelet_kubeconfig=`ps -ww -eo command 2>/dev/null | grep -E "^kubelet |/kubelet " | grep -v grep | sed -e 's/--kubeconfig /--kubeconfig=/g' | while read line; do echo "$line" | awk '{ for(i=1;i<=NF;i++) if($i ~ "--kubeconfig") {gsub(/--kubeconfig=/, ""); print $i}}'; done`
            apiserver_pidcmd=`ps -ww -eo command 2>/dev/null | grep -E "^kube-apiserver |/kube-apisever " | grep -v grep`
            kubelet_pidcmd=`ps -ww -eo command 2>/dev/null | grep -E "^kubelet |/kubelet " | grep -v grep`
            kube_ver_cmd1=`kubectl --kubeconfig /root/.kube/config version --short ture 2>/dev/null|grep "^Server Version"`
            kube_ver_cmd2=`kubectl --kubeconfig /etc/kubernetes/admin.conf version --short ture 2>/dev/null|grep "^Server Version"`
            kube_ver_cmd3=`kubectl --kubeconfig $kubelet_kubeconfig version --short ture 2>/dev/null|grep "^Server Version"`
            if [ -n "$apiserver_pidcmd" ]; then
               echo "Host is a Master Node"
               Check_file_existence
            elif [ -n "$kubelet_pidcmd" ]; then
               echo "Host is a Worker Node"
               Check_file_existence
            else
               echo "Host is a Non-Worker Node but not a Master Node"
               if [ -z "$kube_ver_cmd1" ]; then
                  if [ -z "$kube_ver_cmd2" ]; then
                     echo "/root/.kube/config or /etc/Kubernetes/admin.conf, none of these files exist"
                  else echo "All the prerequisites steps are satisfying to scan kubernetes"
                  fi
               else echo "All the prerequisites steps are satisfying to scan kubernetes"
               fi
            fi
          fi
        fi
     fi
  fi
fi