creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-kubernetes-etcd-security-assessment/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

1.8 KiB
Raw Blame History

API Reference — Performing Kubernetes etcd Security Assessment

Libraries Used

  • subprocess: Execute kubectl, etcdctl commands
  • json: Parse Kubernetes API resource output
  • re: Extract etcd server URLs from API server arguments

CLI Interface

python agent.py [--kubeconfig ~/.kube/config] encrypt
python agent.py access --endpoint https://127.0.0.1:2379 [--cert client.crt --key client.key --cacert ca.crt]
python agent.py secrets
python agent.py tls
python agent.py full [--endpoint https://127.0.0.1:2379]

Core Functions

check_etcd_encryption(kubeconfig) — Verify encryption at rest

Inspects kube-apiserver pod args for --encryption-provider-config, audit logging, TLS.

check_etcd_access(endpoint, cert, key, cacert) — Test access controls

Uses etcdctl to check health and test for unauthenticated read access. CRITICAL finding if data readable without credentials.

dump_secrets_check(kubeconfig) — Audit stored secrets

Lists all cluster secrets, categorizes by type, identifies sensitive naming patterns.

check_etcd_tls_config() — Verify TLS certificates

Checks etcd pod args for peer TLS, client TLS, and client certificate authentication.

full_assessment(kubeconfig, endpoint) — Comprehensive security scan

Combines all checks into single report with risk level classification.

Security Checks

Check Flag Risk
Encryption at rest --encryption-provider-config CRITICAL if missing
Client TLS --cert-file / --key-file HIGH if missing
Peer TLS --peer-cert-file / --peer-key-file HIGH if missing
Client cert auth --client-cert-auth=true MEDIUM if missing
Unauthenticated access etcdctl get without certs CRITICAL

Dependencies

System: kubectl, etcdctl (etcd client) No Python packages required.

Reference in New Issue View Git Blame Copy Permalink