Skip to content

Resolve errors encountered running kubiscan in openshift and from a container image #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 21, 2021
Merged

Resolve errors encountered running kubiscan in openshift and from a container image #23

merged 2 commits into from
Mar 21, 2021

Conversation

gparvin
Copy link
Contributor

@gparvin gparvin commented Feb 4, 2021

What does this PR do?

  • _What's changed? Why were these changes made? This resolves exceptions that happen when running kubiscan on an OpenShift cluster.
  • _How should the reviewer approach this PR, especially if manual tests are required? I'd like to run the test automation but I don't see instructions. I've manually tested many commands and this PR contains the fixes I needed to get it to work. I'm not clear on how my changes to the api client may limit other test scenarios. I can try testing against other k8s cluster types if necessary.
  • _Are there relevant screenshots you can add to the PR description? See info below for some errors I was encountering.

Stack trace for exception running on OpenShift:

Traceback (most recent call last):
  File "./KubiScan/KubiScan.py", line 635, in <module>
    main()
  File "./KubiScan/KubiScan.py", line 554, in main
    print_risky_roles(show_rules=args.rules, days=args.less_than, priority=args.priority)
  File "./KubiScan/KubiScan.py", line 52, in print_risky_roles
    risky_roles = engine.utils.get_risky_roles()
  File "/Users/gparvin/ACM/src/secure-engineering-automation/assessment/2.2sprint5/KubiScan/engine/utils.py", line 140, in get_risky_roles
    return get_risky_role_by_kind('Role')
  File "/Users/gparvin/ACM/src/secure-engineering-automation/assessment/2.2sprint5/KubiScan/engine/utils.py", line 126, in get_risky_role_by_kind
    risky_roles = find_risky_roles(all_roles.items, kind)
  File "/Users/gparvin/ACM/src/secure-engineering-automation/assessment/2.2sprint5/KubiScan/engine/utils.py", line 105, in find_risky_roles
    is_risky, priority = is_risky_role(role)
  File "/Users/gparvin/ACM/src/secure-engineering-automation/assessment/2.2sprint5/KubiScan/engine/utils.py", line 94, in is_risky_role
    if are_rules_contain_other_rules(role.metadata.name, role.rules, risky_role.rules):
  File "/Users/gparvin/ACM/src/secure-engineering-automation/assessment/2.2sprint5/KubiScan/engine/utils.py", line 81, in are_rules_contain_other_rules
    for source_rule in source_rules:
TypeError: 'NoneType' object is not iterable

Stack trace from running in a container:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 170, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 96, in create_connection
    raise err
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/connection.py", line 86, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 394, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 234, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/usr/lib64/python3.6/http/client.py", line 1254, in request
# BUILD
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 974, in send
    self.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 200, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 182, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f6058bfb7b8>: Failed to establish a new connection: [Errno 111] Connection refused

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/KubiScan/KubiScan.py", line 635, in <module>
    main()
  File "/KubiScan/KubiScan.py", line 556, in main
    print_risky_clusterroles(show_rules=args.rules, days=args.less_than, priority=args.priority)
  File "/KubiScan/KubiScan.py", line 60, in print_risky_clusterroles
    risky_clusterroles = engine.utils.get_risky_clusterroles()
  File "/KubiScan/engine/utils.py", line 144, in get_risky_clusterroles
    return get_risky_role_by_kind('ClusterRole')
  File "/KubiScan/engine/utils.py", line 124, in get_risky_role_by_kind
    all_roles = get_roles_by_kind(kind)
  File "/KubiScan/engine/utils.py", line 118, in get_roles_by_kind
    all_roles = api_client.api_temp.list_cluster_role()
  File "/KubiScan/api/api_client_temp.py", line 667, in list_cluster_role
    _request_timeout=None)
  File "/KubiScan/api/api_client_temp.py", line 155, in __call_api
    _request_timeout=_request_timeout)
  File "/KubiScan/api/api_client_temp.py", line 344, in request
    headers=headers)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
    query_params=query_params)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 216, in request
    headers=headers)
  File "/usr/local/lib/python3.6/site-packages/urllib3/request.py", line 75, in request
    method, url, fields=fields, headers=headers, **urlopen_kw
  File "/usr/local/lib/python3.6/site-packages/urllib3/request.py", line 96, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/usr/local/lib/python3.6/site-packages/urllib3/poolmanager.py", line 375, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 796, in urlopen
    **response_kw
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 796, in urlopen
    **response_kw
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 796, in urlopen
    **response_kw
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 756, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 573, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='localhost', port=80): Max retries exceeded with url: /apis/rbac.authorization.k8s.io/v1/clusterroles (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f6058bfb7b8>: Failed to establish a new connection: [Errno 111] Connection refused',))

What ticket does this PR close?

I did not open a ticket.

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or
  • This PR does not require updating any documentation

@k-popov k-popov mentioned this pull request Feb 25, 2021
Merged
6 tasks
@g3rzi g3rzi merged commit c596031 into cyberark:master Mar 21, 2021
@g3rzi
Copy link
Collaborator

g3rzi commented Mar 21, 2021

Thanks for your contribution!
I appreciate it! :)
Regarding the 'NoneType' issue, I think I will also add @k-popov solution because it allows checking the rules before the iterations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gparvin @g3rzi