Replik8s is a modern open-source Kubernetes auditing and investigation tool. It is designed to address the common limitations of traditional security tools, which rely on narrow data collection and predefined logic. RepliK8s allows cloning Kubernetes clusters and serving back exact replicas of the original data, as well as conducting analysis through a tool-agnostic query language.
This versatility makes it particularly valuable for purple teams, enabling both exploratory investigation and precise identification of misconfigurations and vulnerabilities.
Clusters describe their APIs via two sets of endpoints:
/openapi/v2which provides a Swagger 2.0 OpenAPI/api&/apiswhich details the k8s resources available in the cluster in a RESTy manner
The cluster API is quite simple (endpoints are self-contained and multiple requests aren't required to fetch resources),
which allows using the /api and /apis endpoints to fetch all the resources. Once we have this data, we can serve
it back to simulate a cluster "offline".
Running the standalone JAR:
java -jar replik8s.jar
Usage: replik8s <command> [options]
Commands:
collect Generate a snapshot.
report Generate findings.
serve Start the server.
visualize Visualize snapshot.
Run 'replik8s <command> --help' for more information on a command.Generating a snapshot:
java -jar replik8s.jar collectThis command supports the following options:
--snapshot-dir: Directory of the snapshots to load. Defaults tosnapshots.--kubeconfig: Optional path to the kubeconfig file.
Serving the snapshots:
java -jar replik8s.jar serveThis command starts a server that serves all snapshots from the snapshots/ directory. You can specify a different directory with the --snapshot-dir flag.
When you run serve, a kubeconfig-all-snapshots.json file is generated in your project directory. This file is configured with a separate context for each snapshot, allowing you to switch between different points in time.
Interacting with Snapshots
You can use this kubeconfig file with kubectl to interact with the mirrored API.
To list all available snapshot contexts:
kubectl --kubeconfig kubeconfig-all-snapshots.json config get-contextsTo switch to a specific snapshot context:
kubectl --kubeconfig kubeconfig-all-snapshots.json config use-context <context-name>Once you have selected a context, all subsequent kubectl commands will be directed at that specific snapshot:
kubectl --kubeconfig kubeconfig-all-snapshots.json get nsGenerating findings leveraging the built-in queries:
java -jar replik8s.jar report --format jsonThis command supports the following options:
--format: The report format (jsonorxlsx). Defaults toxlsx.--snapshot-dir: Directory of the snapshots to load. Defaults tosnapshots.--output-dir: The directory to save the report to. Defaults to the current directory.
The following command starts a web server that serves an overview of the snapshot data:
java -jar replik8s.jar visualizeTo run the test suite, use the following command:
clj -X:testThis project uses cljfmt for code formatting. You can check the formatting of the codebase with:
clj -M:cljfmt checkAnd apply the correct formatting with:
clj -M:cljfmt fixA pre-commit hook is also configured to automatically format your code before committing. To enable it, install pre-commit and run pre-commit install in the repository root.
Simply run:
clojure -T:build uber