search

cyberark / KubiScan

A tool to scan Kubernetes cluster for risky permissions
GNU General Public License v3.0
1.31k stars 130 forks source link

Python error not handled when command result is empty #12

Closed JnMik closed 4 years ago

JnMik commented 4 years ago

Hello !

Here's the commands I used that triggered the error

python3 /KubiScan/KubiScan.py -ho $KUBERNETES_ENDPOINT:$PORT -t /token -c /ca.crt -rp or python3 /KubiScan/KubiScan.py -ho $KUBERNETES_ENDPOINT:$PORT -t /token -c /ca.crt -pp

 Traceback (most recent call last):
   File "/KubiScan/KubiScan.py", line 635, in <module>
     main()
   File "/KubiScan/KubiScan.py", line 568, in main
     print_all_risky_containers(priority=args.priority, namespace=args.namespace, read_token_from_container=args.deep)
   File "/KubiScan/KubiScan.py", line 113, in print_all_risky_containers
     pods = engine.utils.get_risky_pods(namespace, read_token_from_container)
   File "/KubiScan/engine/utils.py", line 350, in get_risky_pods
     risky_containers = get_risky_containers(pod, risky_users, deep_analysis)
   File "/KubiScan/engine/utils.py", line 331, in get_risky_containers
     for volume in pod.spec.volumes:
 TypeError: 'NoneType' object is not iterable

Not sure if this happen with the other commands because when I run them they actually returning a result.

Cheers !

g3rzi commented 4 years ago

Hey @JnMik, Thank you for reporting !

I will check it and update you when it will be solved. I think I know what will solve it but it will need to wait for after 4.12 because I am presenting demos of this tool and I don't want to add fixes that might affect the demos.

g3rzi commented 4 years ago

Sorry for the delay,

I saw that the problem is in this here:
https://github.com/cyberark/KubiScan/blob/c20370a15d6082f701dcf8de5c52820663c45416/engine/utils.py#L333

This is because we are not handling the case where pod.spec.volumes is None.
I was able to reproduce it with this YAML: 

apiVersion: v1
kind: Pod
metadata:
  name: super-user-pod
spec:
  containers:
  - image: busybox:1.28
    imagePullPolicy: IfNotPresent
    name: redis
    resources: {}
    securityContext:
      capabilities:
        add:
        - SYS_ADMIN
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  restartPolicy: Always
  automountServiceAccountToken: false

I can now work on solution for this and I will update.

g3rzi commented 4 years ago

I tested it and it works :) If you still having issues, reopen this case.