host verification script
Click here to view navigation pane

Host Verification Script

# Script Name: kubernetes_scan_privilege_check.sh
# Description: This script checks whether all necessary privileges are set up correctly before scanning Kubernetes.
# Date: 2024 May 13

# Usage: ./kubernetes_scan_privilege_check.sh

# Requirements:
#   - The script must be executed by the root user.
#   - kubectl command line utility must be installed with root user, and its
#     installation directory must be added to the PATH environment variable.
#   - The script checks whether the kube-apiserver process is running to
#     identify whether the node is a master node, or checks the kubelet process to identify whether the node is a worker node. Otherwise, it  identifies the node as a non-worker node and checks for the existence of kubectl configuration files in the following order:
#     1. /root/.kube/config
#     2. /etc/kubernetes/admin.conf
#     3. kubelet config file
#   - The script generates output indicating whether the node is a worker node, master node, or non-worker node. It also shows the message "All the
prerequisite steps are satisfying to scan Kubernetes" if all privileges
are set up properly. If any of the privileges are missing, it provides a corresponding message to prompt the user to set up the specific privilege.

# Checking whethet Configuration files exist on the host to be used with kubectl command execution to get connect to the cluster

## TODO: remove error direction, and handle the output

verify_config_file() {
         if [  -z "$root_config_ver" ]; then
           if [ -z "$admin_config_ver" ]; then
             if [ -n "$kubelet_kubeconfig" ]; then
                if [ -z "$process_config_ver" ]; then
                   echo "/root/.kube/config or /etc/Kubernetes/admin.conf or kubelet config file, none of these files exist"
                else
                   echo "All the prerequisites steps are satisfying to scan kubernetes"
                fi
             else
                echo "/root/.kube/config or /etc/Kubernetes/admin.conf or kubelet config file, none of these files exist"
             fi

           else echo "All the prerequisites steps are satisfying to scan kubernetes"
           fi
         else echo "All the prerequisites steps are satisfying to scan kubernetes"
         fi
}
os=`uname -a`
if [[ "$os" == "SunOS"* ]]; then
  echo "Unsupported Operating System"
  exit
elif [[ "$os" == "FreeBSD"* ]]; then
  echo "Unsupported Operating System"
  exit
elif [[ "$os" == "AIX"* ]]; then
  echo "Unsupported Operating System"
  exit
else
  #Checking whether the logged on user is root
  user=`whoami 2>/dev/null`
  if [ "$user" != "root" ]; then
    echo "root user login is required or else run the script with sudo"
    exit
  fi
  #Checking kubectl installation
  kube_ctl=`which kubectl 2>/dev/null`
  if [ -z "$kube_ctl" ]; then
    echo "kubectl command line utility is not installed"
    exit
  else
     parent_dir=`echo $kube_ctl | sed -e 's/\/kubectl$//g'`
     #Checking kubectl executable file ownership
     perm=`ls -l $kube_ctl 2>/dev/null | grep -E "^[-]r\Sxr-xr-x.*root root"`
     if [ -z "$perm" ]; then
       echo "kubectl binary should NOT have group or other write permission"
       permissions=$(stat -c "%a" $kube_ctl)
       echo "kubectl permissions are: "$permissions
       exit
     else
        #Checking kubectl executable parent directory ownership
        parent_perm=`ls -ld $parent_dir 2>/dev/null | grep -E "^[d]r\Sxr-xr-x.*root root"`
        if [ -z "$parent_perm" ]; then
          echo "kubectl parent directory should NOT have group or other write permission"
          permissions=$(stat -c "%a" $parent_dir)
          echo "kubectl parent directory permissions are: "$permissions
          exit
        else
        #Checking whether kubectl command runnable in Path Enviornment
          path=`echo $PATH`
          if [[ "$path" != *"$parent_dir"* ]]; then
            echo "kubectl path is not been added in PATH enviornment"
            exit
          else
            kubelet_kubeconfig=`ps -ww -eo command 2>/dev/null | grep -E "^kubelet |/kubelet " | grep -v grep | sed -e 's/--kubeconfig /--kubeconfig=/g' | while read line; do echo "$line" | awk '{ for(i=1;i<=NF;i++) if($i ~ "--kubeconfig") {gsub(/--kubeconfig=/, ""); print $i}}'; done`
            apiserver_pidcmd=`ps -ww -eo command 2>/dev/null | grep -E "^kube-apiserver |/kube-apisever " | grep -v grep`
            kubelet_pidcmd=`ps -ww -eo command 2>/dev/null | grep -E "^kubelet |/kubelet " | grep -v grep`
            root_config_ver=`kubectl --kubeconfig /root/.kube/config version 2>/dev/null|grep "^Server Version"`
            admin_config_ver=`kubectl --kubeconfig /etc/kubernetes/admin.conf version  2>/dev/null|grep "^Server Version"`
            process_config_ver=`kubectl --kubeconfig $kubelet_kubeconfig version 2>/dev/null|grep "^Server Version"`
            if [ -n "$apiserver_pidcmd" ]; then
               echo "Host is a Master Node"
               verify_config_file
            elif [ -n "$kubelet_pidcmd" ]; then
               echo "Host is a Worker Node"
               verify_config_file
            else
               echo "Host is a Non-Worker Node but not a Master Node"
               if [ -z "$root_config_ver" ]; then
                  if [ -z "$admin_config_ver" ]; then
                     echo "/root/.kube/config or /etc/Kubernetes/admin.conf, none of these files exist"
                  else echo "All the prerequisites steps are satisfying to scan kubernetes"
                  fi
               else echo "All the prerequisites steps are satisfying to scan kubernetes"
               fi
            fi
          fi
        fi
     fi
  fi
fi