search

vchinnipilli / kubestriker

A Blazing fast Security Auditing tool for Kubernetes
https://github.com/vchinnipilli/kubestriker
Apache License 2.0
980 stars 106 forks source link

authenticated scan fails - invalid token #17

Closed strus38 closed 3 years ago

strus38 commented 3 years ago

Hi Not sure what's wrong here. I created a serviceaccount ro:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: serviceaccountro

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: serviceaccountro
rules:
  - apiGroups: [""]
    resources:
      - configmaps
      - secrets
      - nodes
      - pods
      - services
      - resourcequotas
      - replicationcontrollers
      - limitranges
      - persistentvolumeclaims
      - persistentvolumes
      - namespaces
      - endpoints
    verbs: ["list", "watch"]
  - apiGroups: ["extensions"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - ingresses
    verbs: ["list", "watch"]
  - apiGroups: ["apps"]
    resources:
      - daemonsets
      - deployments
      - replicasets
      - statefulsets
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources:
      - cronjobs
      - jobs
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources:
      - horizontalpodautoscalers
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources:
      - poddisruptionbudgets
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - certificatesigningrequests
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources:
      - storageclasses
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling.k8s.io"]
    resources:
      - verticalpodautoscalers
    verbs: ["list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: serviceaccountro
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: serviceaccountro
subjects:
- kind: ServiceAccount
  name: serviceaccountro
  namespace: default

Not sure if the token has be encrypted or not ... but I tried both, without success:

Provide token :
 -----------------------------------------------
< Could not autheticate with the provided token >
 -----------------------------------------------
          \  ^__^
           \ (oo)\________
             (__)\        )\/\
                  ||----W |
                  ||     ||

Any tips for a self-hosted K8S cluster? Thanks

vasantchinnipilli commented 3 years ago

Hi @strus38 ,

Thank you for raising this issue. I will check this from my end and get back to you at the earliest.

Regards, Vasant

vasantchinnipilli commented 3 years ago

Hi @strus38,

I just replicated this issue from my end and it worked without any issues.

There is a possibility that your token is not pasted appropriately on the console and that's why your token is not being authenticated.

Please try kubestriker container by referring to "How to spin up kubestriker container section" and it should work without any hassles.

Please let me know if you face any further issues.

Regards, Vasant

vasantchinnipilli commented 3 years ago

Hi @strus38 ,

Hope the tool is working as expected. Please create another issue if you face any another problems.

Regards, Vasant