jicowan/kube-forensics.sh

## kube-forensics.sh
TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
REGION=`curl -s -o /dev/null -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/placement/region`
VERSION=$(aws eks describe-cluster --name default_capi-eks-quickstart-control-plane --region $REGION | jq -r .cluster.version)
aws eks update-kubeconfig --name default_capi-eks-quickstart-control-plane --region $REGION
curl -LO --output-dir /usr/local/bin https://dl.k8s.io/release/$(VERSION)/bin/linux/amd64/kubectl
chmod +x /usr/local/bin/kubectl

if [[ -z "${SUBPATH}" ]]; then
  export SUBPATH="forensics"
fi

echo Namespace: $NAMESPACE
echo Pod Name: $POD_NAME
echo Subpath: $SUBPATH
echo Destination Bucket: $DEST_BUCKET

export timestamp=$(date +"%s")

local_dest_dir=/forensics/${SUBPATH}/${timestamp}
mkdir -p ${local_dest_dir}

kubectl describe pod ${POD_NAME} -n ${NAMESPACE} > ${local_dest_dir}/${POD_NAME}.txt
kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o yaml > ${local_dest_dir}/${POD_NAME}.yaml

# Need a loop for all containers in a pod
# Could use the following command to get the length of the array
# kubectl get pod -n $NAMESPACE $POD_NAME -o json | jq -r '.status.containerStatuses | length'

CONTAINER_ID=$(kubectl get pod $POD_NAME -n $NAMESPACE -o json | jq -r .status.containerStatuses[].containerID | sed -E 's/^\s*.*:\/\///g')
sudo docker inspect $CONTAINER_ID > ${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-inspect.json
sudo docker diff $CONTAINER_ID > ${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-diff.txt
sudo docker export $CONTAINER_ID --output=${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-export.tar

for file in ${local_dest_dir}/*
do
    aws s3 cp ${file} ${DEST_BUCKET}/${SUBPATH}/${timestamp}_${NAMESPACE}_${POD_NAME}/ --acl bucket-owner-full-control
done

rm -rf ${local_dest_dir}
	TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
	REGION=`curl -s -o /dev/null -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/placement/region`
	VERSION=$(aws eks describe-cluster --name default_capi-eks-quickstart-control-plane --region $REGION \| jq -r .cluster.version)
	aws eks update-kubeconfig --name default_capi-eks-quickstart-control-plane --region $REGION
	curl -LO --output-dir /usr/local/bin https://dl.k8s.io/release/$(VERSION)/bin/linux/amd64/kubectl
	chmod +x /usr/local/bin/kubectl

	if [[ -z "${SUBPATH}" ]]; then
	export SUBPATH="forensics"
	fi

	echo Namespace: $NAMESPACE
	echo Pod Name: $POD_NAME
	echo Subpath: $SUBPATH
	echo Destination Bucket: $DEST_BUCKET

	export timestamp=$(date +"%s")

	local_dest_dir=/forensics/${SUBPATH}/${timestamp}
	mkdir -p ${local_dest_dir}

	kubectl describe pod ${POD_NAME} -n ${NAMESPACE} > ${local_dest_dir}/${POD_NAME}.txt
	kubectl get pod ${POD_NAME} -n ${NAMESPACE} -o yaml > ${local_dest_dir}/${POD_NAME}.yaml

	# Need a loop for all containers in a pod
	# Could use the following command to get the length of the array
	# kubectl get pod -n $NAMESPACE $POD_NAME -o json \| jq -r '.status.containerStatuses \| length'

	CONTAINER_ID=$(kubectl get pod $POD_NAME -n $NAMESPACE -o json \| jq -r .status.containerStatuses[].containerID \| sed -E 's/^\s.:\/\///g')
	sudo docker inspect $CONTAINER_ID > ${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-inspect.json
	sudo docker diff $CONTAINER_ID > ${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-diff.txt
	sudo docker export $CONTAINER_ID --output=${local_dest_dir}/${POD_NAME}-${CONTAINER_ID}-export.tar

	for file in ${local_dest_dir}/*
	do
	aws s3 cp ${file} ${DEST_BUCKET}/${SUBPATH}/${timestamp}_${NAMESPACE}_${POD_NAME}/ --acl bucket-owner-full-control
	done

	rm -rf ${local_dest_dir}