Feature Request : Kubernetes Discovery

[raesene]

Even where authentication is generally required, Kubernetes makes some API server paths available unauthenticated as part of the system:discovery cluster role. Whilst this has been locked down a bit in the latest versions many clusters will disclose some interesting information without authentication on the API server port, which gets returned via the type:kubernetes search.

The paths allowed by the role are as below. Probably the interesting ones are /version which shows things like software version and discloses some info. about the type of install and /swagger.json which can disclose info. about software installed on the cluster.

  - /api
  - /api/*
  - /apis
  - /apis/*
  - /healthz
  - /openapi
  - /openapi/*
  - /swagger-2.0.0.pb-v1
  - /swagger.json
  - /swaggerapi
  - /swaggerapi/*
  - /version
  - /version/

[raesene]

Just as an add-on to this which could be quite useful for Binary edge, even in the most recent versions the version endpoint is available on Kubernetes API servers without authentication.

This returns some useful information and could be used to detect unsupported Kubernetes installations (their support policy is current version + 2 previous, so at the moment anything older than 1.13 is out of support)

For example on a kind cluster. kubectl cluster-info

Kubernetes master is running at https://127.0.0.1:39295
KubeDNS is running at https://127.0.0.1:39295/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

curl -sk https://127.0.0.1:39295/version

{
  "major": "1",
  "minor": "15",
  "gitVersion": "v1.15.3",
  "gitCommit": "2d3c76f9091b6bec110a5e63777c332469e0cba2",
  "gitTreeState": "clean",
  "buildDate": "2019-08-20T18:57:36Z",
  "goVersion": "go1.12.9",
  "compiler": "gc",
  "platform": "linux/amd64"