TL;DR: Extract all Kubernetes resources for offline/out-of-band auditing
When performing white-box security assessments of Kubernetes clusters, the ability to query an API server for defined resources is super helpful. A few kubectl commands and you're done - well, granted that you have credentials and the required privileges.
For better or worse reasons, the administrators may not be keen to provide unrestricted access. It is fairly easy to define a read-only role for all resources using RBAC, but that would also provide access to secrets and other resource kinds that may be considered too sensitive. We could try to define a role providing access to all-except-some resources, but we would need to explicitly specify each resource kind that could possibly exist (including potentially interesting custom resources).
Even if you've defined such a role, the cluster may be isolated/air-gapped. This could make it tricky to perform ad-hoc queries during your assessment.
An alternative solution is to ask a trusted user with unrestricted privileges to request all defined resources (except secrets, etc.) and relay the output to an auditor. To aid this process, k8s_resource_audit.sh was created! I've tried making it easy to audit by a paranoid administrator and avoided using exotic tools that may not be available on their computer. The script outputs a .tar.gz that can be extracted and analyzed at the auditor's leisure using jq or similar tools.
This tool was created during research for Menacit's Kubernetes Security Course. Funding for development of the course was provided by Sweden's National Coordination Centre for Research and Innovation in Cybersecurity, the Swedish Civil Contingencies Agency and the European Union's European Cybersecurity Competence Centre.
Execute script on a system with (unrestricted) cluster access:
$ ./k8s_resource_audit.sh
2025-03-12-T11:18:37+00:00 = Creating base directory at "/tmp/tmp.KNHhf5nyBS_k8s/k8s_resource_audit-2025-03-12-T11_18_37_00_00"
2025-03-12-T11:18:37+00:00 = Fetching list of cluster-scoped resources
2025-03-12-T11:18:37+00:00 = Merging cluster-scoped resources
2025-03-12-T11:18:37+00:00 = Fetching cluster-scoped resources
2025-03-12-T11:18:39+00:00 = Fetching list of namespace-scoped resources
2025-03-12-T11:18:39+00:00 = Merging namespace-scoped resources
2025-03-12-T11:18:39+00:00 = Excluding resource kind "secrets"
2025-03-12-T11:18:39+00:00 = Fetching resources in namespace "cilium-test-1"
2025-03-12-T11:18:40+00:00 = Fetching resources in namespace "default"
2025-03-12-T11:18:41+00:00 = Fetching resources in namespace "kube-node-lease"
2025-03-12-T11:18:42+00:00 = Fetching resources in namespace "kube-public"
2025-03-12-T11:18:43+00:00 = Fetching resources in namespace "kube-system"
2025-03-12-T11:18:44+00:00 = Generating compressed TAR file with extracted resources
2025-03-12-T11:18:44+00:00 = Successfully generated archive of Kubernetes resources at "/tmp/tmp.KNHhf5nyBS_k8s/k8s_resource_audit-2025-03-12-T11_18_37_00_00.tar.gz"
Copy and extract the output archive on another system for analysis:
$ tar --extract --file /tmp/tmp.KNHhf5nyBS_k8s/k8s_resource_audit-2025-03-12-T11_18_37_00_00.tar.gz
$ tree k8s_resource_audit-2025-03-12-T11_18_37_00_00/
k8s_resource_audit-2025-03-12-T11_18_37_00_00/
├── cluster_resources.json
├── namespace_resources_cilium-test-1.json
├── namespace_resources_default.json
├── namespace_resources_kube-node-lease.json
├── namespace_resources_kube-public.json
└── namespace_resources_kube-system.json
1 directory, 6 files