Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing duplicates in '-rp' flag. #52

Merged
merged 1 commit into from
Oct 20, 2022
Merged

Fixing duplicates in '-rp' flag. #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion KubiScan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ def print_all_risky_containers(priority=None, namespace=None, read_token_from_co
pod.containers = filter_objects_by_priority(priority, pod.containers)
for container in pod.containers:
all_service_account = ''
for service_account in container.service_accounts_name_list:
for service_account in container.service_accounts_name_set:
all_service_account += service_account.user_info.name + ", "
all_service_account = all_service_account[:-2]
t.add_row([get_color_by_priority(container.priority)+container.priority.name+WHITE, pod.name, pod.namespace, container.name, container.service_account_namespace, all_service_account])
Expand Down
6 changes: 3 additions & 3 deletions engine/container.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
class Container:
def __init__(self, name, service_account_name=None, service_account_namespace=None, service_accounts_name_list=None, priority=None, token=None, raw_jwt_token=None):
def __init__(self, name, service_account_name=None, service_account_namespace=None, service_accounts_name_set=None, priority=None, token=None, raw_jwt_token=None):
self.name = name
self.service_account_name = service_account_name
self.service_account_namespace = service_account_namespace
self.service_accounts_name_list = service_accounts_name_list
self.service_accounts_name_set = service_accounts_name_set
self.priority = priority
self.token = token
self.raw_jwt_token = raw_jwt_token
self.raw_jwt_token = raw_jwt_token
19 changes: 9 additions & 10 deletions engine/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,6 @@ def get_risky_user_from_container(jwt_body, risky_users):

def get_risky_containers(pod, risky_users, read_token_from_container=False):
risky_containers = []
risky_users_list = []
if read_token_from_container:
# Skipping terminated and evicted pods
# This will run only on the containers with the "ready" status
Expand All @@ -346,13 +345,13 @@ def get_risky_containers(pod, risky_users, read_token_from_container=False):
for volume in pod.spec.volumes or []:
volumes_dict[volume.name] = volume
for container in pod.spec.containers:
risky_users_list = get_risky_users_from_container(container, risky_users, pod, volumes_dict)
risky_users_set = get_risky_users_from_container(container, risky_users, pod, volumes_dict)
if not container_exists_in_risky_containers(risky_containers, container.name,
risky_users_list):
if len(risky_users_list) > 0:
priority = get_highest_priority(risky_users_list)
risky_users_set):
if len(risky_users_set) > 0:
priority = get_highest_priority(risky_users_set)
risky_containers.append(
Container(container.name, None, pod.metadata.namespace, risky_users_list,
Container(container.name, None, pod.metadata.namespace, risky_users_set,
priority))
return risky_containers

Expand All @@ -367,7 +366,7 @@ def get_highest_priority(risky_users_list):


def get_risky_users_from_container(container, risky_users, pod, volumes_dict):
risky_users_list = []
risky_users_set = set()
# '[]' for checking if 'container.volume_mounts' is None
for volume_mount in container.volume_mounts or []:
if volume_mount.name in volumes_dict:
Expand All @@ -376,12 +375,12 @@ def get_risky_users_from_container(container, risky_users, pod, volumes_dict):
if source.service_account_token is not None:
risky_user = is_user_risky(risky_users, pod.spec.service_account, pod.metadata.namespace)
if risky_user is not None:
risky_users_list.append(risky_user)
risky_users_set.add(risky_user)
elif volumes_dict[volume_mount.name].secret is not None:
risky_user = get_jwt_and_decode(pod, risky_users, volumes_dict[volume_mount.name])
if risky_user is not None:
risky_users_list.append(risky_user)
return risky_users_list
risky_users_set.add(risky_user)
return risky_users_set


def container_exists_in_risky_containers(risky_containers, container_name, risky_users_list):
Expand Down