search

kubescape / kubescape

Kubescape is an open-source Kubernetes security platform for your IDE, CI/CD pipelines, and clusters. It includes risk analysis, security, compliance, and misconfiguration scanning, saving Kubernetes users and administrators precious time, effort, and resources.
https://kubescape.io
Apache License 2.0
10.23k stars 838 forks source link

Exception when scanning local files #1740

Open QuinnBast opened 1 month ago

QuinnBast commented 1 month ago

Description

When attempting to scan my whole repository with kubescape scan ., the process fails with an exception.

Environment

OS: Almalinux 9 Version: v3.0.17

Steps To Reproduce

  1. Download Kubescape: curl -s https://raw.githubusercontent.com/kubescape/kubescape/master/install.sh | /bin/bash
  2. cd into my git repo
  3. Run kubescape scan .

Expected behavior

Expect the scan to complete

Actual Behavior

The CLI throws an exception:

$ kubescape scan .
 ✅  Initialized scanner
 ✅  Loaded policies
 ✅  Loaded exceptions
 ✅  Loaded account configurations
 🌕  Accessing local objects...panic: interface conversion: interface {} is int, not string

goroutine 1 [running]:
github.com/kubescape/opa-utils/objectsenvelopes/hostsensor.IsTypeTypeHostSensor(0x3d45fa0?)
    /home/runner/go/pkg/mod/github.com/kubescape/opa-utils@v0.0.281/objectsenvelopes/hostsensor/hostsensordataenvelope.go:146 +0xc6
github.com/kubescape/opa-utils/objectsenvelopes.GetObjectType(0xc0046393b0)
    /home/runner/go/pkg/mod/github.com/kubescape/opa-utils@v0.0.281/objectsenvelopes/objectshandler.go:41 +0xbd
github.com/kubescape/opa-utils/objectsenvelopes.NewObject(0xc0046393b0)
    /home/runner/go/pkg/mod/github.com/kubescape/opa-utils@v0.0.281/objectsenvelopes/objectshandler.go:17 +0x25
github.com/kubescape/kubescape/v3/core/cautils.readYamlFile({0xc00458f500, 0x2c6, 0x2c7})
    /home/runner/work/kubescape/kubescape/core/cautils/fileutils.go:242 +0x325
github.com/kubescape/kubescape/v3/core/cautils.ReadFile({0xc00458f500?, 0x7a?, 0xc002376460?}, {0x4462680?, 0x415d3c0?})
    /home/runner/work/kubescape/kubescape/core/cautils/fileutils.go:176 +0x33
github.com/kubescape/kubescape/v3/core/cautils.loadFiles({0xc002108e70, 0x28}, {0xc002236000, 0x1259, 0x28?})
    /home/runner/work/kubescape/kubescape/core/cautils/fileutils.go:144 +0x1d2
github.com/kubescape/kubescape/v3/core/cautils.LoadResourcesFromFiles({0x52ff0d0, 0xc000fa0030}, {0x7ffca74172f3, 0x1}, {0xc002108e70, 0x28})
    /home/runner/work/kubescape/kubescape/core/cautils/fileutils.go:123 +0x2c7
github.com/kubescape/kubescape/v3/core/pkg/resourcehandler.getResourcesFromPath({0x52ff0d0, 0xc000fa0030}, {0x7ffca74172f3, 0x1})
    /home/runner/work/kubescape/kubescape/core/pkg/resourcehandler/filesloader.go:205 +0x152
github.com/kubescape/kubescape/v3/core/pkg/resourcehandler.(*FileResourceHandler).GetResources(0xc0017d0640?, {0x52ff0d0, 0xc000fa0030}, 0xc00023d200, 0xc001945688)
    /home/runner/work/kubescape/kubescape/core/pkg/resourcehandler/filesloader.go:48 +0x22b
github.com/kubescape/kubescape/v3/core/pkg/resourcehandler.CollectResources({0x52ff0d0, 0xc000fa0000}, {0x52e7a58, 0x7a771e0}, 0xc00023d200, 0xc001945688)
    /home/runner/work/kubescape/kubescape/core/pkg/resourcehandler/handlerpullresources.go:28 +0x1a2
github.com/kubescape/kubescape/v3/core/core.(*Kubescape).Scan(0x0?, {0x52ff1b0, 0x7a771e0}, 0xc001945688)
    /home/runner/work/kubescape/kubescape/core/core/scan.go:172 +0x7b6
github.com/kubescape/kubescape/v3/cmd/scan.securityScan({{{0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}, {0x0, 0x0}}, {0xc0017cccc0, 0x2, ...}, ...}, ...)
    /home/runner/work/kubescape/kubescape/cmd/scan/scan.go:138 +0x9a
github.com/kubescape/kubescape/v3/cmd/scan.GetScanCommand.func1(0xc0017bf400?, {0xc0017b7ed0?, 0x4?, 0x44626a0?})
    /home/runner/work/kubescape/kubescape/cmd/scan/scan.go:49 +0xc8
github.com/spf13/cobra.(*Command).execute(0xc0017da908, {0xc0017b7e90, 0x1, 0x1})
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:983 +0xaca
github.com/spf13/cobra.(*Command).ExecuteC(0xc0017da608)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1115 +0x3ff
github.com/spf13/cobra.(*Command).Execute(...)
    /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.8.0/command.go:1039
github.com/kubescape/kubescape/v3/cmd.Execute()
    /home/runner/work/kubescape/kubescape/cmd/root.go:119 +0x2a
main.main()
    /home/runner/work/kubescape/kubescape/main.go:27 +0xbb

Additional context

Even if I run with -l debug I get the same output as above. Other scans work, like kubescape scan against a k8s cluster, or kubescape scan image.

matthyx commented 4 weeks ago

@QuinnBast can you provide some information on your repo, as I cannot reproduce locally

QuinnBast commented 4 weeks ago

I tested it with just an empty directory and it worked, so it must have something to do with one of the files in my repository. I've narrowed it down by testing each directory in our repo one at a time.

The issue comes from our infra folder (which contains all our k8s yamls, ansible playbooks, and helm charts. Specifically, it fails when trying to scan our kubernetes directory which contains these sub-directories:

$ ls -l
total 32
-rwxr-xr-x. 1 almalinux almalinux 2500 Aug 19 14:41 add_argo_clusters.sh
drwxr-xr-x. 3 almalinux almalinux   18 Jul  3 13:57 argocd
drwxr-xr-x. 5 almalinux almalinux   63 Sep 19 10:44 backend
drwxr-xr-x. 2 almalinux almalinux  108 Sep  4 14:33 build
-rwxr-xr-x. 1 almalinux almalinux  277 Aug  7 09:48 build_all_manifests.sh
-rwxr-xr-x. 1 almalinux almalinux  271 Aug  7 09:48 build_app_manifest.sh
drwxr-xr-x. 5 almalinux almalinux   63 Sep  9 08:55 cert-manager
drwxr-xr-x. 4 almalinux almalinux   50 Sep 19 10:44 cloudnative-pg
-rw-r--r--. 1 almalinux almalinux  694 Aug 19 14:41 copy_latest_images.sh
-rw-r--r--. 1 almalinux almalinux  120 Sep 19 10:44 deployment_order.txt
drwxr-xr-x. 4 almalinux almalinux   50 Sep 19 10:44 elastic-stack
drwxr-xr-x. 5 almalinux almalinux   63 Sep 27 11:42 frontend
-rwxr-xr-x. 1 almalinux almalinux  428 Aug 19 14:41 get_latest_image_name.py
drwxr-xr-x. 5 almalinux almalinux   82 Sep 27 11:42 getMapServer
drwxr-xr-x. 5 almalinux almalinux   63 Sep  6 16:30 ingress-nginx
drwxr-xr-x. 5 almalinux almalinux   63 Sep  6 16:56 k8ssandra-operator
drwxr-xr-x. 4 almalinux almalinux   50 Aug  7 09:48 kafdrop
drwxr-xr-x. 5 almalinux almalinux   63 Sep  6 16:54 kafka
drwxr-xr-x. 5 almalinux almalinux   63 Sep  6 16:57 keycloak
drwxr-xr-x. 4 almalinux almalinux   50 Aug  7 09:48 kube-prometheus-stack
drwxr-xr-x. 4 almalinux almalinux   50 Aug  7 09:48 metallb
-rwxr-xr-x. 1 almalinux almalinux  364 Aug  7 09:48 registry_name.py
-rwxr-xr-x. 1 almalinux almalinux  454 Aug 19 14:41 sync_argo.sh
drwxr-xr-x. 4 almalinux almalinux   50 Aug  7 09:48 topolvm

Each one of these directories is a kustomize deployment with various environment overlays.

If manually I run each of these directories/files through kubescape with kubescape scan <somePath>, most work, however, the one that fails is kube-prometheus-stack. Running kubescape against a few of the deployments takes like 5-10 minutes, however kube-prometheus-stack throws the stack trace seen above.

One thing to note is that I have the helm charts from these repositories already pulled down before running kubescape, so it's likely that kubescape is scanning the entire helm charts. However - this should not be too crazy, it's not like these helm charts are GBs big or anything...

2024_10_15_0gd_Kleki