Issue in /KubiScan/engine/jwt_token.py #59
Description
Summary
I'm getting an error when running the kubiscan with --kube-config flag.
It seems that the issue is in jwt_token.py functions which (naturally) accept only JWT tokens.
I'm getting non-JWT tokens passed into the
def decode_jwt_token_data(jwt_token):
splitted_string = jwt_token.split(".")
Details
After running
# kubiscan --kube-config "/root/.kube/config" -rp
I get the stack trace
Traceback (most recent call last):
File "/KubiScan/KubiScan.py", line 675, in <module>
main()
File "/KubiScan/KubiScan.py", line 606, in main
print_all_risky_containers(priority=args.priority, namespace=args.namespace, read_token_from_container=args.deep)
File "/KubiScan/KubiScan.py", line 141, in print_all_risky_containers
pods = engine.utils.get_risky_pods(namespace, read_token_from_container)
File "/KubiScan/engine/utils.py", line 435, in get_risky_pods
risky_containers = get_risky_containers(pod, risky_users, deep_analysis)
File "/KubiScan/engine/utils.py", line 348, in get_risky_containers
risky_users_set = get_risky_users_from_container(container, risky_users, pod, volumes_dict)
File "/KubiScan/engine/utils.py", line 380, in get_risky_users_from_container
risky_user = get_jwt_and_decode(pod, risky_users, volumes_dict[volume_mount.name])
File "/KubiScan/engine/utils.py", line 421, in get_jwt_and_decode
decoded_data = decode_base64_jwt_token(secret.data['token'])
File "/KubiScan/engine/jwt_token.py", line 7, in decode_base64_jwt_token
return decode_jwt_token_data(decode_base64_bytes_to_string(decode_base64(base64_token)))
File "/KubiScan/engine/jwt_token.py", line 13, in decode_jwt_token_data
decoded_data_base64 = decode_base64(splitted_string[1])
IndexError: list index out of range
I echoed some values for debug purposes
[DEBUG] File /KubiScan/engine/utils.py, line 418, in get_jwt_and_decode
[DEBUG] secret: {'api_version': 'v1',
'data': {'namespace': 'Yy1tLWR4YzI5N2s1',
'token': '<base64-token>',
'url': '<corp-url>'},
'immutable': None,
'kind': 'Secret',
'metadata': {'annotations': {'kubectl.kubernetes.io/last-applied-configuration': '{"apiVersion":"v1","data":{"namespace":"Yy1tLWR4YzI5N2s1","token":"<base64-token>","url":"<corp-url>"},"kind":"Secret","metadata":{"annotations":{},"name":"cattle-credentials-384a8b6","namespace":"cattle-system"},"type":"Opaque"}\n'},
'creation_timestamp': datetime.datetime(2022, 11, 18, 8, 36, 9, tzinfo=tzlocal()),
...
...
...
The problem is that b64 decoded token in
'token': '<base64-token>',
doesn't contain 'dot', it doesn't seem to be a valid JWT token. It looks something like
msdtd24l2hg5vrzr8w9dnl897nkbfrbxd5sbljxg9hhbbwwkqr2cx2
When this data is passed to
splitted_string = jwt_token.split(".")
then
splitted_string[1]
is empty and kubiscan throws an error.
Additionally the same .kubeconfig file works perfectly with kubectl CLI.