Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create kubeconfig detector #2894

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Create kubeconfig detector #2894

wants to merge 1 commit into from
+1,961 −0

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented May 29, 2024
edited
Loading

Description:

This creates a detector to match both JSON and YAML kubeconfig files12.

While it works, it clashes against many of TruffleHog's current limitations.

  1. Using regular expression to match/parse structured data
  2. It requires all the relevant data to be committed at once, otherwise it won't be detected (Multi-part secrets are not reliably detected #2267).
  3. It won't work on larger configs that get split by the chunker

    trufflehog/pkg/sources/chunker.go

    Lines 13 to 14 in 0024b6c

    // ChunkSize is the maximum size of a chunk.
    ChunkSize = 10 * 1024 
✅ Found verified result 🐷🔑
Detector Type: KubeConfig
Decoder Type: PLAIN
Raw result: eyJhbGci...
User: system:serviceaccount:default:namespace/sa-name
Type: TokenAuth
Namespaces: default,kube1,kube2,kube3,kube4 (+ more)
Server: https://console.openshift.example.com:443
File: /home/user/.kube/config
Line: 59

TODO

  • Configure sending mutual TLS
  • Test mutual TLS auth
  • Add test cases for obvious non-matches
  • Add test case for this kubernetes/examples@50c2301#diff-2065905535ff4e50c6b7c67cada76e55e86c2f1c9378198c96de8647222288d2R200-R224 (user 'lithe-cocoa-92103_kubernetes@lithe-cocoa-92103_kubernetes' has no associated auth info)
  • Handle JSON payloads with null values https://github.com/microsoft/azure-pipelines-tasks/blob/c7a37a8550bfc27d8f2d3f5849091c8e0fa18c7f/common-npm-packages/utility-common-v2/kubectlutility.ts#L54
  • Handle clusters with name before server (https://github.com/SurbhiKharche/swe645-hw3/blob/af64bf1e6a96f4523cd68cc605a58381f25f54d6/kubeconfig#L23)
  • Add multi-part detector struct
  • Add test case for https://github.com/openshift/hypershift/blob/c83d8f2053ac3341fb6a043706e0d850aaa6bc23/hypershift-operator/controllers/nodepool/nodepool_controller_test.go#L2330
  • Add test cases for 
    2024-12-07T15:39:05Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "KwrUc", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/assisted-service/blob/287b529b91a9fa7a2791084cc338891213273dcb/internal/host/test_regular_kubeconfig#L1", "error": "user 'admin@cluster' has no associated auth info"}
2024-12-07T15:39:05Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "pF3gj", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/assisted-service/blob/287b529b91a9fa7a2791084cc338891213273dcb/internal/host/test_hypershift_kubeconfig#L1", "error": "user 'admin@cluster' has no associated auth info"}
2024-12-07T15:39:05Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "QDjdU", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/assisted-service/blob/287b529b91a9fa7a2791084cc338891213273dcb/internal/host/test_hypershift_kubeconfig#L1", "error": "user 'admin@cluster' has no associated auth info"}
2024-12-07T15:39:05Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "W0AIl", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/assisted-service/blob/287b529b91a9fa7a2791084cc338891213273dcb/internal/host/test_regular_kubeconfig#L1", "error": "user 'admin@cluster' has no associated auth info"}
2024-12-07T15:53:15Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "BaZLK", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/addon-operator/blob/21897e3914c741ed4af580962ece5e7e415ae61f/must-gather.local.4557266359843115887/namespaces/openshift-kube-apiserver/core/configmaps.yaml#L670", "error": "user 'kube-apiserver-cert-syncer@loopback' has no associated auth info"}
2024-12-07T15:53:15Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "YDOtE", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/addon-operator/blob/21897e3914c741ed4af580962ece5e7e415ae61f/must-gather.local.4557266359843115887/namespaces/openshift-kube-apiserver/core/configmaps.yaml#L670", "error": "user 'kube-apiserver-cert-syncer@loopback' has no associated auth info"}
2024-12-07T15:53:15Z    error   trufflehog.kubeconfig   Failed to parse config  {"detector_worker_id": "KwrUc", "detector": {"type":"KubeConfig"}, "timeout": 60, "link": "https://github.com/openshift/addon-operator/blob/21897e3914c741ed4af580962ece5e7e415ae61f/must-gather.local.4557266359843115887/namespaces/openshift-kube-apiserver/core/configmaps.yaml#L670", "error": "user 'kube-apiserver-cert-syncer@loopback' has no associated auth info"}

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Footnotes

  1. https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/

  2. https://www.redhat.com/sysadmin/kubeconfig

@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 4 times, most recently from 024c706 to c87e45a Compare June 5, 2024 00:38
@rgmz rgmz mentioned this pull request Jun 5, 2024
Open
2 tasks
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 3 times, most recently from 4701e16 to af6698e Compare June 21, 2024 02:56
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 2 times, most recently from 1ea2766 to 6bf45f5 Compare July 1, 2024 18:39
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 2 times, most recently from f91fc39 to ae3d976 Compare November 8, 2024 14:05
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from ae3d976 to 10a6a8a Compare November 11, 2024 19:23
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 7 times, most recently from 8c8b61b to eaf86c7 Compare November 27, 2024 00:33
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from eaf86c7 to 5b664bf Compare December 2, 2024 14:09
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from 5b664bf to 8952748 Compare December 15, 2024 15:30
@rgmz rgmz mentioned this pull request Dec 16, 2024
Merged
2 tasks
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from 8952748 to 9718394 Compare December 31, 2024 15:19
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from 9718394 to ebf9aa9 Compare January 11, 2025 20:16
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch 2 times, most recently from aa62150 to c955270 Compare January 27, 2025 14:11
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from c955270 to 17971fc Compare January 29, 2025 02:23
@rgmz rgmz force-pushed the feat/detector/kubeconfig branch from 17971fc to d30d703 Compare February 2, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rgmz