-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* adjustment to support zsh & bash * add service account check codebundle
- Loading branch information
1 parent
5ae3ebd
commit e2ec28f
Showing
3 changed files
with
100 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Kubernetes Service Account Check | ||
|
|
||
| Tasks that help debug or validate service accounts and their access. | ||
|
|
||
| ## Tasks | ||
| - `Test Service Account Access to Kubernetes API Server`- Runs a curl pod as a specific serviceaccount and attempts to all the Kubernetes API server with the mounted token | ||
|
|
||
|
|
||
| ## Configuration | ||
|
|
||
| The TaskSet requires initialization to import necessary secrets, services, and user variables. The following variables should be set: | ||
|
|
||
| - `kubeconfig`: The kubeconfig secret containing access info for the cluster. | ||
| - `kubectl`: The location service used to interpret shell commands. Default value is `kubectl-service.shared`. | ||
| - `KUBERNETES_DISTRIBUTION_BINARY`: Which binary to use for Kubernetes CLI commands. Default value is `kubectl`. | ||
| - `CONTEXT`: The Kubernetes context to operate within. | ||
| - `NAMESPACE`: The name of the namespace to search. | ||
| - `SERVICE_ACCOUNT`: The service account to test access with. Defaults to `default` | ||
|
|
||
| ## Requirements | ||
| This task creates and deletes a pod in the specified namespace, RBAC permissions must support this. | ||
|
|
||
| ## TODO | ||
| - [ ] Add documentation | ||
| - [ ] Add github integration with source code vs image comparison | ||
| - [ ] Find applicable raise issue use |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| *** Settings *** | ||
| Documentation This taskset provides tasks to troubleshoot service accounts in a Kubernetes namespace. | ||
| Metadata Author stewartshea | ||
| Metadata Display Name Kubernetes Service Account Check | ||
| Metadata Supports Kubernetes,AKS,EKS,GKE,OpenShift,Redis | ||
| Library BuiltIn | ||
| Library RW.Core | ||
| Library RW.CLI | ||
| Library RW.platform | ||
| Library OperatingSystem | ||
| Library DateTime | ||
| Library Collections | ||
|
|
||
| Suite Setup Suite Initialization | ||
|
|
||
|
|
||
| *** Keywords *** | ||
| Suite Initialization | ||
| ${kubeconfig}= RW.Core.Import Secret | ||
| ... kubeconfig | ||
| ... type=string | ||
| ... description=The kubernetes kubeconfig yaml containing connection configuration used to connect to cluster(s). | ||
| ... pattern=\w* | ||
| ... example=For examples, start here https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/ | ||
| ${kubectl}= RW.Core.Import Service kubectl | ||
| ... description=The location service used to interpret shell commands. | ||
| ... default=kubectl-service.shared | ||
| ... example=kubectl-service.shared | ||
| ${KUBERNETES_DISTRIBUTION_BINARY}= RW.Core.Import User Variable KUBERNETES_DISTRIBUTION_BINARY | ||
| ... type=string | ||
| ... description=Which binary to use for Kubernetes CLI commands. | ||
| ... enum=[kubectl,oc] | ||
| ... example=kubectl | ||
| ... default=kubectl | ||
| ${CONTEXT}= RW.Core.Import User Variable CONTEXT | ||
| ... type=string | ||
| ... description=Which Kubernetes context to operate within. | ||
| ... pattern=\w* | ||
| ... example=my-main-cluster | ||
| ${NAMESPACE}= RW.Core.Import User Variable NAMESPACE | ||
| ... type=string | ||
| ... description=The name of the namespace to search. | ||
| ... pattern=\w* | ||
| ... example=otel-demo | ||
| ... default= | ||
| ${SERVICE_ACCOUNT}= RW.Core.Import User Variable SERVICE_ACCOUNT | ||
| ... type=string | ||
| ... description=The name of the namespace to search. | ||
| ... pattern=\w* | ||
| ... example=default | ||
| ... default=default | ||
| Set Suite Variable ${kubeconfig} ${kubeconfig} | ||
| Set Suite Variable ${kubectl} ${kubectl} | ||
| Set Suite Variable ${KUBERNETES_DISTRIBUTION_BINARY} ${KUBERNETES_DISTRIBUTION_BINARY} | ||
| Set Suite Variable ${CONTEXT} ${CONTEXT} | ||
| Set Suite Variable ${NAMESPACE} ${NAMESPACE} | ||
| Set Suite Variable ${SERVICE_ACCOUNT} ${SERVICE_ACCOUNT} | ||
| Set Suite Variable ${env} {"KUBECONFIG":"./${kubeconfig.key}"} | ||
|
|
||
| *** Tasks *** | ||
| Test Service Account Access to Kubernetes API Server | ||
| [Documentation] Runs a curl pod as a specific serviceaccount and attempts to all the Kubernetes API server with the mounted token | ||
| [Tags] ServiceAccount Curl APIServer RBAC | ||
| ${sa_access}= RW.CLI.Run Cli | ||
| ... cmd=apiserver=https://kubernetes.default.svc; namespace=${NAMESPACE}; context=${CONTEXT}; resource=""; serviceaccount=${SERVICE_ACCOUNT}; ${KUBERNETES_DISTRIBUTION_BINARY} run curl-pod --image=curlimages/curl:latest --restart=Never --overrides="{ \\"spec\\": { \\"serviceAccountName\\": \\"$serviceaccount\\" } }" -n $namespace --context=$context --command -- sleep infinity && echo "Waiting for the curl-pod to be running..." && ${KUBERNETES_DISTRIBUTION_BINARY} wait --for=condition=Ready pod/curl-pod --timeout=20s -n $namespace --context=$context && TOKEN=$(${KUBERNETES_DISTRIBUTION_BINARY} exec curl-pod -n $namespace --context=$context -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) && echo "Performing a curl request to the Kubernetes API..." && ${KUBERNETES_DISTRIBUTION_BINARY} exec curl-pod -n $namespace --context=$context -- curl -s -k -H "Authorization: Bearer $TOKEN" $apiserver$resource && echo "Cleaning up..." && ${KUBERNETES_DISTRIBUTION_BINARY} delete pod curl-pod -n $namespace --context=$context && echo "Done!" | ||
| ... render_in_commandlist=true | ||
| ... target_service=${kubectl} | ||
| ... env=${env} | ||
| ... secret_file__kubeconfig=${kubeconfig} | ||
| RW.Core.Add Pre To Report Test Output:\n${sa_access.stdout} | ||
| ${history}= RW.CLI.Pop Shell History | ||
| RW.Core.Add Pre To Report Commands Used: ${history} |