def dump_containers_tokens_by_pod(pod_name,
namespace,
read_token_from_container=False):
containers_with_tokens = []
pod = api_client.CoreV1Api.read_namespaced_pod(name=pod_name,
namespace=namespace)
if read_token_from_container:
if pod.status.container_statuses:
for container in pod.status.container_statuses:
if container.ready:
jwt_body, raw_jwt_token = get_jwt_token_from_container(
pod, container.name)
if jwt_body:
containers_with_tokens.append(
Container(container.name,
token=jwt_body,
raw_jwt_token=raw_jwt_token))
else:
for container in pod.spec.containers:
pod_mounted_secrets = {}
for volume in pod.spec.volumes:
if volume.secret:
pod_mounted_secrets[volume.secret.secret_name] = True
jwt_body = get_jwt_token_from_container_by_etcd(
pod, container, pod_mounted_secrets)
if jwt_body:
containers_with_tokens.append(
Container(container.name,
token=jwt_body,
raw_jwt_token=None))
return containers_with_tokens
def get_risky_containers(pod, risky_users, read_token_from_container=False):
risky_containers = []
risky_user = None
if read_token_from_container:
# Skipping terminated and evicted pods
# This will run only on the containers with the "ready" status
if pod.status.container_statuses:
for container in pod.status.container_statuses:
if container.ready:
jwt_body, _ = get_jwt_token_from_container(pod, container.name)
if jwt_body:
risky_user = get_risky_user_from_container(jwt_body, risky_users)
if risky_user:
risky_containers.append(
Container(container.name, risky_user.user_info.name, risky_user.user_info.namespace,
risky_user.priority))
else:
for container in pod.spec.containers:
pod_mounted_secrets = {}
# TODO: Use VolumeMount from the container for more reliable results
if pod.spec.volumes is not None:
for volume in pod.spec.volumes:
if volume.secret:
pod_mounted_secrets[volume.secret.secret_name] = True
jwt_body = get_jwt_token_from_container_by_etcd(pod, container, pod_mounted_secrets)
if jwt_body:
risky_user = get_risky_user_from_container(jwt_body, risky_users)
if risky_user:
risky_containers.append(
Container(container.name, risky_user.user_info.name, risky_user.user_info.namespace,
risky_user.priority))
return risky_containers
def dump_containers_tokens_by_pod(pod_name, namespace):
containers_with_tokens = []
pod = api_client.CoreV1Api.read_namespaced_pod(name=pod_name, namespace=namespace)
if pod.status.container_statuses:
for container in pod.status.container_statuses:
if container.ready:
jwt_body, raw_jwt_token = get_jwt_token_from_container(pod, container.name)
if jwt_body:
containers_with_tokens.append(Container(container.name, token=jwt_body, raw_jwt_token=raw_jwt_token))
return containers_with_tokens
def get_risky_containers(pod, risky_users):
risky_containers = []
# Skipping terminated and evicted pods
if pod.status.container_statuses:
for container in pod.status.container_statuses:
if container.ready:
jwt_body, _ = get_jwt_token_from_container(pod, container.name)
if jwt_body:
for risky_user in risky_users:
if risky_user.user_info.kind == 'ServiceAccount':
if is_same_user(jwt_body['kubernetes.io/serviceaccount/service-account.name'],
jwt_body['kubernetes.io/serviceaccount/namespace'],
risky_user.user_info.name, risky_user.user_info.namespace):
risky_containers.append(Container(container.name, risky_user.user_info.name, risky_user.user_info.namespace, risky_user.priority))
# TODO: list all the not ready containers ??
return risky_containers