Merge pull request #2 from DataDog/aws-policy-evaluation

Implement stronger policy evaluation logic

Author: christophetd

.pre-commit-config.yaml

@@ -119,7 +119,9 @@ $ mkat eks test-imds-access
 2023/04/12 00:35:15 IMDS is accessible and allows any pod to retrieve credentials for the AWS role eksctl-mkat-cluster-nodegroup-ng-NodeInstanceRole-AXWUFF35602Z
 ```
 
-## How does MKAT compare to other tools?
+## FAQ 
+
+### How does MKAT compare to other tools?
 
 | **Tool** | **Description** |
 |:---:|:---:|
@@ -132,10 +134,18 @@ $ mkat eks test-imds-access
 | [kubeletmein](https://github.com/4ARMED/kubeletmein) | kubeletmein _is_ specific to managed K8s environments. It's an utility to generate a kubeconfig file using the node's IAM credentials, to then use it in a compromised pod. |
 | [hardeneks](https://github.com/aws-samples/hardeneks) | hardeneks _is_ specific to managed K8s environments, but only for EKS. It identifies issues and lack of best practices inside of the cluster, and does not focus on cluster to cloud pivots. |
 
+### What permissions does MKAT need to run?
+
+See [this page](./permissions.md) for a detailed list of the permissions MKAT needs to run.
+
 ## Roadmap
 
 We currently plan to:
 * Add a feature to identify EKS pods that are exposed through an AWS load balancer, through the [aws-load-balancer-controller](https://github.com/kubernetes-sigs/aws-load-balancer-controller)
 * Add support for GCP GKE
 * Allow scanning for additional types of cloud credentials
 * Enhance the IAM role trust policy evaluation logic to take into account additional edge cases
+
+## Acknowledgements
+
+Thank you to Rami McCarthi and Mikail Tunç for their early testing and actionable feedback on MKAT!

README.md

@@ -9,14 +9,16 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var skipEksHostnameCheck bool
+
 func BuildEksSubcommand() *cobra.Command {
 	eksCommand := &cobra.Command{
 		Use:   "eks",
 		Short: "Commands to audit your EKS cluster",
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			figure.NewFigure("mkat", "", true).Print()
 			println()
-			if !utils.IsEKS() {
+			if !skipEksHostnameCheck && !utils.IsEKS() {
 				return errors.New("you do not seem to be connected to an EKS cluster. Connect to an EKS cluster and try again")
 			}
 			clusterName := utils.GetEKSClusterName()
@@ -27,6 +29,7 @@ func BuildEksSubcommand() *cobra.Command {
 		},
 	}
 
+	eksCommand.PersistentFlags().BoolVarP(&skipEksHostnameCheck, "skip-eks-hostname-check", "", false, "Don't check that the hostname of your current API server ends with .eks.amazonaws.com")
 	eksCommand.AddCommand(buildEksRoleRelationshipsCommand())
 	eksCommand.AddCommand(buildEksFindSecretsCommand())
 	eksCommand.AddCommand(buildTestImdsAccessCommand())

cmd/managed-kubernetes-auditing-toolkit/eks/main.go

@@ -10,7 +10,6 @@ import (
 	"github.com/awalterschulze/gographviz"
 	"github.com/aws/aws-sdk-go-v2/aws/arn"
 	"github.com/datadog/managed-kubernetes-auditing-toolkit/internal/utils"
-	"github.com/datadog/managed-kubernetes-auditing-toolkit/pkg/managed-kubernetes-auditing-toolkit/eks"
 	"github.com/datadog/managed-kubernetes-auditing-toolkit/pkg/managed-kubernetes-auditing-toolkit/eks/role_relationships"
 	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/jedib0t/go-pretty/v6/text"
@@ -22,6 +21,7 @@ import (
 // Command-line arguments
 var outputFormat string
 var outputFile string
+var eksClusterName string
 
 // Output formats
 const (
@@ -50,53 +50,62 @@ func buildEksRoleRelationshipsCommand() *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			cluster := utils.GetEKSClusterName()
 			if cluster == "" {
-				return errors.New("unable to determine your current EKS cluster name")
+				// If we cannot determine the EKS cluster name automatically, give the user a chance to specify it on the CLI
+				cluster = eksClusterName
+			}
+			if cluster == "" {
+				return errors.New("unable to determine your current EKS cluster name. Try specifying it explicitely with the --eks-cluster-name flag")
 			}
 			return doFindRoleRelationshipsCommand(cluster)
 		},
 	}
 
 	eksRoleRelationshipsCommand.Flags().StringVarP(&outputFormat, "output-format", "f", DefaultOutputFormat, "Output format. Supported formats: "+strings.Join(availableOutputFormats, ", "))
 	eksRoleRelationshipsCommand.Flags().StringVarP(&outputFile, "output-file", "o", "", "Output file. If not specified, output will be printed to stdout.")
+	eksRoleRelationshipsCommand.Flags().StringVarP(&eksClusterName, "eks-cluster-name", "", "", "When the EKS cluster name cannot be automatically detected from your KubeConfig, specify this argument to pass the EKS cluster name of your current kubectl context")
+
 	return eksRoleRelationshipsCommand
 }
 
 // Actual logic implementing the "find-role-relationships" command
 func doFindRoleRelationshipsCommand(targetCluster string) error {
-	resolver := role_relationships.EKSClusterRolesResolver{K8sClient: utils.K8sClient(), AwsClient: utils.AWSClient()}
-	cluster, err := resolver.ResolveClusterRoles(targetCluster)
+	resolver := role_relationships.EKSCluster{
+		K8sClient: utils.K8sClient(),
+		AwsClient: utils.AWSClient(),
+		Name:      targetCluster,
+	}
+	err := resolver.AnalyzeRoleRelationships()
 	if err != nil {
 		log.Fatalf("unable to analyze cluster role relationships: %v", err)
 	}
 
-	output, err := getOutput(cluster)
+	output, err := getOutput(&resolver)
 	if err != nil {
 		return err
 	}
 	if outputFile != "" {
 		log.Println("Writing " + strings.ToUpper(outputFormat) + " output to " + outputFile)
 		return os.WriteFile(outputFile, []byte(output), 0644)
-	} else {
-		print(output)
 	}
 
+	print(output)
 	return nil
 }
 
-func getOutput(cluster *eks.EKSCluster) (string, error) {
+func getOutput(resolver *role_relationships.EKSCluster) (string, error) {
 	switch outputFormat {
 	case TextOutputFormat:
-		return getTextOutput(cluster)
+		return getTextOutput(resolver)
 	case DotOutputFormat:
-		return getDotOutput(cluster)
+		return getDotOutput(resolver)
 	case CsvOutputFormat:
-		return getCsvOutput(cluster)
+		return getCsvOutput(resolver)
 	default:
 		return "", fmt.Errorf("unsupported output format %s", outputFormat)
 	}
 }
 
-func getTextOutput(cluster *eks.EKSCluster) (string, error) {
+func getTextOutput(resolver *role_relationships.EKSCluster) (string, error) {
 	t := table.NewWriter()
 	if term.IsTerminal(0) {
 		width, _, err := term.GetSize(0)
@@ -111,7 +120,7 @@ func getTextOutput(cluster *eks.EKSCluster) (string, error) {
 	})
 	t.AppendHeader(table.Row{"Namespace", "Service Account", "Pod", "Assumable Role ARN"})
 	var found = false
-	for namespace, pods := range cluster.PodsByNamespace {
+	for namespace, pods := range resolver.PodsByNamespace {
 		for _, pod := range pods {
 			if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
 				continue
@@ -125,20 +134,19 @@ func getTextOutput(cluster *eks.EKSCluster) (string, error) {
 	}
 	if !found {
 		return "No service accounts found that can assume AWS roles", nil
-	} else {
-		return t.Render(), nil
 	}
+	return t.Render(), nil
 }
 
 type Vertex struct {
-	Id    int
+	ID    int
 	Label string
 }
 
-func (v *Vertex) ID() int {
-	return v.Id
+func (v *Vertex) GetID() int {
+	return v.ID
 }
-func getDotOutput(cluster *eks.EKSCluster) (string, error) {
+func getDotOutput(resolver *role_relationships.EKSCluster) (string, error) {
 	graphAst, _ := gographviz.ParseString(`digraph G { }`)
 	graphViz := gographviz.NewGraph()
 	gographviz.Analyse(graphAst, graphViz)
@@ -150,7 +158,7 @@ func getDotOutput(cluster *eks.EKSCluster) (string, error) {
 	graphViz.AddAttr("G", "overlap", "false")
 	graphViz.AddAttr("G", "newrank", "true")
 
-	for namespace, pods := range cluster.PodsByNamespace {
+	for namespace, pods := range resolver.PodsByNamespace {
 		subgraph := fmt.Sprintf(` "cluster_%s" `, namespace)
 		graphViz.AddSubGraph("G", subgraph, map[string]string{
 			"rank":  "same",
@@ -192,60 +200,12 @@ func getDotOutput(cluster *eks.EKSCluster) (string, error) {
 	}
 
 	return graphViz.String(), nil
-	/*g := graph.New(graph.StringHash, graph.Directed(), graph.Acyclic())
-
-	for namespace, pods := range cluster.PodsByNamespace {
-		for _, pod := range pods {
-			if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
-				continue
-			}
-			podLabel := fmt.Sprintf("Pod %s/%s", namespace, pod.Name)
-
-			g.AddVertex(podLabel,
-				graph.VertexAttribute("shape", "box"),
-				graph.VertexAttribute("rank", "same"),
-			)
-		}
-	}
-
-	for namespace, pods := range cluster.PodsByNamespace {
-		for _, pod := range pods {
-			if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
-				continue
-			}
-			podLabel := fmt.Sprintf("Pod %s/%s", namespace, pod.Name)
-			for _, role := range pod.ServiceAccount.AssumableRoles {
-				parsedArn, _ := arn.Parse(role.Arn)
-				roleLabel := fmt.Sprintf("IAM Role %s", parsedArn.Resource)
-
-				g.AddVertex(
-					roleLabel,
-					graph.VertexAttribute("style", "filled"),
-					graph.VertexAttribute("shape", "box"),
-					graph.VertexAttribute("fillcolor", "#BFEFFF"),
-					graph.VertexAttribute("rank", "max"),
-				)
-
-				g.AddEdge(
-					podLabel, roleLabel,
-					//graph.EdgeAttribute("label", "can assume"),
-				)
-			}
-		}
-	}
-
-	sb := new(strings.Builder)
-	if err := draw.DOT(g, sb); err != nil {
-		return "", err
-	}
-
-	return sb.String(), nil*/
 }
 
-func getCsvOutput(cluster *eks.EKSCluster) (string, error) {
+func getCsvOutput(resolver *role_relationships.EKSCluster) (string, error) {
 	sb := new(strings.Builder)
 	sb.WriteString("namespace,pod,service_account,role_arn")
-	for namespace, pods := range cluster.PodsByNamespace {
+	for namespace, pods := range resolver.PodsByNamespace {
 		for _, pod := range pods {
 			if pod.ServiceAccount == nil || len(pod.ServiceAccount.AssumableRoles) == 0 {
 				continue

cmd/managed-kubernetes-auditing-toolkit/eks/role_relationships.go

@@ -33,38 +33,56 @@ require (
 	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/gnostic v0.5.7-v3refs // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-licenses v1.6.0 // indirect
 	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/google/licenseclassifier v0.0.0-20210722185704-3043a050f148 // indirect
 	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/otiai10/copy v1.6.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/src-d/gcfg v1.4.0 // indirect
+	github.com/xanzy/ssh-agent v0.2.1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
 	golang.org/x/sys v0.6.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
+	golang.org/x/tools v0.5.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/src-d/go-billy.v4 v4.3.2 // indirect
+	gopkg.in/src-d/go-git.v4 v4.13.1 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect