From e2ec28f4ad4690fe56f4e2ab3c66ddb569495565 Mon Sep 17 00:00:00 2001
From: Shea Stewart <stewart.shea@gmail.com>
Date: Tue, 11 Jul 2023 08:16:31 -0400
Subject: [PATCH] Curl apiserver (#116)

* adjustment to support zsh & bash

* add service account check codebundle
---
 codebundles/k8s-image-check/runbook.robot     |  4 +-
 .../k8s-serviceaccount-check/README.md        | 26 +++++++
 .../k8s-serviceaccount-check/runbook.robot    | 72 +++++++++++++++++++
 3 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 codebundles/k8s-serviceaccount-check/README.md
 create mode 100644 codebundles/k8s-serviceaccount-check/runbook.robot

diff --git a/codebundles/k8s-image-check/runbook.robot b/codebundles/k8s-image-check/runbook.robot
index 95f2b594..dd831471 100644
--- a/codebundles/k8s-image-check/runbook.robot
+++ b/codebundles/k8s-image-check/runbook.robot
@@ -1,8 +1,8 @@
 *** Settings ***
 Documentation       This taskset provides detailed information about the images used in a Kubernetes namespace.
 Metadata            Author    jon-funk
-Metadata            Display Name    Kubernetes Image Rollover Check
-Metadata            Supports    Kubernetes,AKS,EKS,GKE,OpenShift,Redis
+Metadata            Display Name    Kubernetes Image Check
+Metadata            Supports    Kubernetes,AKS,EKS,GKE,OpenShift
 Library             BuiltIn
 Library             RW.Core
 Library             RW.CLI
diff --git a/codebundles/k8s-serviceaccount-check/README.md b/codebundles/k8s-serviceaccount-check/README.md
new file mode 100644
index 00000000..bd0e59bc
--- /dev/null
+++ b/codebundles/k8s-serviceaccount-check/README.md
@@ -0,0 +1,26 @@
+# Kubernetes Service Account Check
+
+Tasks that help debug or validate service accounts and their access. 
+
+## Tasks
+- `Test Service Account Access to Kubernetes API Server`- Runs a curl pod as a specific serviceaccount and attempts to all the Kubernetes API server with the mounted token
+
+
+## Configuration
+
+The TaskSet requires initialization to import necessary secrets, services, and user variables. The following variables should be set:
+
+- `kubeconfig`: The kubeconfig secret containing access info for the cluster.
+- `kubectl`: The location service used to interpret shell commands. Default value is `kubectl-service.shared`.
+- `KUBERNETES_DISTRIBUTION_BINARY`: Which binary to use for Kubernetes CLI commands. Default value is `kubectl`.
+- `CONTEXT`: The Kubernetes context to operate within.
+- `NAMESPACE`: The name of the namespace to search.
+- `SERVICE_ACCOUNT`: The service account to test access with. Defaults to `default`
+
+## Requirements
+This task creates and deletes a pod in the specified namespace, RBAC permissions must support this. 
+
+## TODO
+- [ ] Add documentation
+- [ ] Add github integration with source code vs image comparison
+- [ ] Find applicable raise issue use
\ No newline at end of file
diff --git a/codebundles/k8s-serviceaccount-check/runbook.robot b/codebundles/k8s-serviceaccount-check/runbook.robot
new file mode 100644
index 00000000..03520e19
--- /dev/null
+++ b/codebundles/k8s-serviceaccount-check/runbook.robot
@@ -0,0 +1,72 @@
+*** Settings ***
+Documentation       This taskset provides tasks to troubleshoot service accounts in a Kubernetes namespace.
+Metadata            Author    stewartshea
+Metadata            Display Name    Kubernetes Service Account Check
+Metadata            Supports    Kubernetes,AKS,EKS,GKE,OpenShift,Redis
+Library             BuiltIn
+Library             RW.Core
+Library             RW.CLI
+Library             RW.platform
+Library             OperatingSystem
+Library             DateTime
+Library             Collections
+
+Suite Setup         Suite Initialization
+
+
+*** Keywords ***
+Suite Initialization
+    ${kubeconfig}=    RW.Core.Import Secret
+    ...    kubeconfig
+    ...    type=string
+    ...    description=The kubernetes kubeconfig yaml containing connection configuration used to connect to cluster(s).
+    ...    pattern=\w*
+    ...    example=For examples, start here https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/
+    ${kubectl}=    RW.Core.Import Service    kubectl
+    ...    description=The location service used to interpret shell commands.
+    ...    default=kubectl-service.shared
+    ...    example=kubectl-service.shared
+    ${KUBERNETES_DISTRIBUTION_BINARY}=    RW.Core.Import User Variable    KUBERNETES_DISTRIBUTION_BINARY
+    ...    type=string
+    ...    description=Which binary to use for Kubernetes CLI commands.
+    ...    enum=[kubectl,oc]
+    ...    example=kubectl
+    ...    default=kubectl
+    ${CONTEXT}=    RW.Core.Import User Variable    CONTEXT
+    ...    type=string
+    ...    description=Which Kubernetes context to operate within.
+    ...    pattern=\w*
+    ...    example=my-main-cluster
+    ${NAMESPACE}=    RW.Core.Import User Variable    NAMESPACE
+    ...    type=string
+    ...    description=The name of the namespace to search.   
+    ...    pattern=\w*
+    ...    example=otel-demo
+    ...    default=
+    ${SERVICE_ACCOUNT}=    RW.Core.Import User Variable    SERVICE_ACCOUNT
+    ...    type=string
+    ...    description=The name of the namespace to search.   
+    ...    pattern=\w*
+    ...    example=default
+    ...    default=default
+    Set Suite Variable    ${kubeconfig}    ${kubeconfig}
+    Set Suite Variable    ${kubectl}    ${kubectl}
+    Set Suite Variable    ${KUBERNETES_DISTRIBUTION_BINARY}    ${KUBERNETES_DISTRIBUTION_BINARY}
+    Set Suite Variable    ${CONTEXT}    ${CONTEXT}
+    Set Suite Variable    ${NAMESPACE}    ${NAMESPACE}
+    Set Suite Variable    ${SERVICE_ACCOUNT}    ${SERVICE_ACCOUNT}
+    Set Suite Variable    ${env}    {"KUBECONFIG":"./${kubeconfig.key}"}
+
+*** Tasks ***
+Test Service Account Access to Kubernetes API Server
+    [Documentation]    Runs a curl pod as a specific serviceaccount and attempts to all the Kubernetes API server with the mounted token
+    [Tags]    ServiceAccount    Curl    APIServer    RBAC
+    ${sa_access}=    RW.CLI.Run Cli
+    ...    cmd=apiserver=https://kubernetes.default.svc; namespace=${NAMESPACE}; context=${CONTEXT}; resource=""; serviceaccount=${SERVICE_ACCOUNT}; ${KUBERNETES_DISTRIBUTION_BINARY} run curl-pod --image=curlimages/curl:latest --restart=Never --overrides="{ \\"spec\\": { \\"serviceAccountName\\": \\"$serviceaccount\\" } }" -n $namespace --context=$context --command -- sleep infinity && echo "Waiting for the curl-pod to be running..." && ${KUBERNETES_DISTRIBUTION_BINARY} wait --for=condition=Ready pod/curl-pod --timeout=20s -n $namespace --context=$context && TOKEN=$(${KUBERNETES_DISTRIBUTION_BINARY} exec curl-pod -n $namespace --context=$context -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) && echo "Performing a curl request to the Kubernetes API..." && ${KUBERNETES_DISTRIBUTION_BINARY} exec curl-pod -n $namespace --context=$context -- curl -s -k -H "Authorization: Bearer $TOKEN" $apiserver$resource && echo "Cleaning up..." && ${KUBERNETES_DISTRIBUTION_BINARY} delete pod curl-pod -n $namespace --context=$context && echo "Done!"
+    ...    render_in_commandlist=true
+    ...    target_service=${kubectl}
+    ...    env=${env}
+    ...    secret_file__kubeconfig=${kubeconfig}
+    RW.Core.Add Pre To Report    Test Output:\n${sa_access.stdout}
+    ${history}=    RW.CLI.Pop Shell History
+    RW.Core.Add Pre To Report    Commands Used: ${history}