- Release darwin arm64 builds as requested per issue 13.
- Updates all deps and linters (bumped to k8s v1.30).
- Added a structured fuzzing feature to fuzz the admission control of the k8s API. The idea came from issue 10. And was implemented in PR 11 thanks to google/gofuzz.
- It is now possible to add a
--namespace
flag tokdigger gen
command thanks to @kranurag7.
- Use server side dry run by default on admission control scan. Added a flag
--admission-create
to replicate the old behavior but the scan now by default run with--dry-run=server
so no cleaning is needed. Shoutout to @smarticu5 for the idea at KubeHuddle 2022!
- New plugin for basic container detection, result of this discussion on Twitter.
- Add a linting configuration and linting in CI on GitHub.
- Add the nixery.dev docker image build instructions in README.
- Add a demo GIF in the README.
- Makefile is up to date with some new targets to setup dev env and the default build target runs without the linter.
- Simplify and update the Vagrantfile.
- Updated all dependencies and especially the Go client k8s to
v0.25.2
. - Made a lot of style modifications and minor fixes thanks to linting.
- Fix the import of all auth providers for k8s Go client thanks to this user's PR.
- New level one command to generate template of pods with major security features disabled. It's mostly something that I needed while doing CTFs to not have some canonical YAML in a file somewhere to use, but being able to generate quickly those templates with random names, etc.
- New plugin to scan the metadata endpoints in public cloud. I got this idea thanks to someone contributing to the security checklist on the Kubernetes documentation. It's basically public cloud fingerprinting via network.
- New builds for macOS amd64 and Linux arm64. the macOS build is not really useful since kdigger is supposed to be run inside of pods, inside nodes, but it can be used to scan the admission control for example, or any remote plugins. However, Linux arm64 can be quite useful in case of arm64 node pools.
- You can now install kdigger via Nix! Thanks to generous contributor @06kellyjac, see the PR on kdigger repo and in nixpkgs.
- Fixed minor bugs discovered along running on a different arch.
- A new plugin, apiresources to retrieve all information that can be leaked by the discovery API. I had the idea after doing the last CTF challenge at KubeCon Europe by ControlPlane, Falco was installed in the cluster and it was useful to discover that. It could be discovered via the services plugin because Falco exposes one, but CRDs discovery could also be used.
- The "active" flag to "side-effects" because it was unclear for some person at BlackHat Asia when I presented what "active" meant on the list of plugins.
- The API used to register, I grouped all the args in a structure and used the new "require client" field to properly load the context or not and fail gracefully to run the rest of the plugins in case the context is unavailable.
- Fix a bug when no default namespaced was defined in a kubeconfig, now automatically default to the namespace "default".
- Two new plugins, cgroups, and node and checks for NoNewPrivs and Seccomp flag in respectively, capabilities and syscall plugins. (Thanks for Andrew Martin & Michael Hausenblas for the inspiration from the Appendix 1 "A Pod-Level Attack" from the "Hacking Kubernetes" book)
- Documentation about the Wildcard feature removal in CoreDNS.
- New Makefiles rules to quickly start kdigger in a Pod in a kind cluster and to make a release.
- Vagrantfile for development on different systems.
- Update dependencies and use Go 1.18.
- Fix the
got get
oneliner usinggo install
. - The output mechanism for plugins, now using comments array and flatten results that are of length one for better JSON output parsing.
- Initial release!