Monitor Kubernetes Clusters for authorisation tokens being passed in clear-text.
kubectl apply -f deploy.yamlCheck beargrabz logs to see what bearer tokens it has found so far:
kubectl logs eavesdropperThis will deploy 3 pods:
httpbinpod and service to serve HTTP on port 80.api-clientpod to simulate requests.beargrabzpod to eavesdrop requests fromapi-clienttohttpbin.
kubectl apply -f sample/playground.yamlFollow beargrabz logs to see requests from api-client to httpbin:
kubectl logs eavesdropper -fThe result should be a new entry in the log every second:
10.244.0.23:34570 -> 10.0.114.142:8000
GET /
Host: httpbin:8000
Authorization: Bearer GoUwqbik432***********
beargrabs has a few security requirements:
- run as root on the container.
- have
NET_ADMINcapability. - have access to the host network.
Running on Kubernetes An extract of the yaml configuration is as follows:
securityContext:
capabilities:
add: ["NET_ADMIN"]
hostNetwork: trueCheck deploy.yml for a working example.
Running manually with docker
docker run --rm --security-opt=no-new-privileges --cap-drop=NET_ADMIN --network="host" paulinhu/beargrabz Licensed under the MIT License. You may obtain a copy of the License here.