GHSA-7m72-mh5r-6j3r

#!/bin/bash help=" Usage: bash find_promoted_resource.sh \n \n Requires: \n - jq installed and on path \n - A kubeconfig pointing at rancher's local cluster (can also run from rancher's kubectl shell) \n \n Outputs a list of roletemplates and roletemplate bindings which give write access to promoted resources. " if [[ $1 == "-h" || $1 == "--help" ]] then echo -e $help exit 0 fi # first, get the current roletemplates so that we only issue a get once kubectl get roletemplates.management.cattle.io -o json >> script_templates.json # find roles which have write access to a promoted resource. Filter on roleTemplates which fulfill all requirements: # Have a project context # Have some rules # Have one/more of the target api groups, or a * in the api groups # Have one/more of the target resources, or a * in the resources # Have a verb that is not read access (i.e. a verb that is not get/list/watch) roles=$(jq --argjson apiGroups '["", "ui.cattle.io", "core", "storage.k8s.io", "apiregistration.k8s.io", "catalog.cattle.io", "management.cattle.io"]' --argjson resources '["navlinks", "persistentvolumes", "nodes", "storageclasses", "apiservices", "clusterrepos", "clusters"]' --argjson verbs '["get", "list", "watch"]' '.items[] | select(.context=="project" and (.rules | length >= 1)) | select( .rules[] | select( (($apiGroups - .apiGroups | length < 7) or (.apiGroups | index("*"))) and (($resources - .resources | length < 7) or (.resources | index("*"))) and (.verbs - $verbs | length > 0)) | length >= 1 ) | .metadata.name' script_templates.json | jq -s ) # log promoted roles which give direct write access so they can be easily fixed echo "The following role templates give direct write access to a promoted resource:" echo $roles echo -e "" # find any roles which inherit first-level roles. Mostly a BFS which radiates outward from the known bad roles old_roles="[]" new_roles="$roles" old_length=$(echo $old_roles | jq 'length') new_length=$(echo $new_roles | jq 'length') # if our last loop found nothing new, it's safe to stop while [[ $old_length != $new_length ]]; do # set old values to what we currently know about old_roles=$new_roles old_length=$new_length # update new values with anything that inherits a "bad" role we know about new_roles=$(jq --argjson roles "$old_roles" --argjson roleLen "$old_length" '.items[] | .metadata.name as $NAME | select (( $roles | index($NAME)) or ((.roleTemplateNames | length > 0 ) and ($roles - .roleTemplateNames | length < $roleLen))) | .metadata.name ' script_templates.json | jq -s) new_length=$(echo $new_roles | jq 'length') done roles=$new_roles # log all roles which can give write access, even if it's not first level echo -e "The following role templates give write access to a promoted resource directly or through inheritance:" echo $roles echo -e "" kubectl get projectroletemplatebindings.management.cattle.io -A -o json >> script_bindings.json role_template_bindings=$(jq --argjson roleTemplates "$roles" '.items[] | .roleTemplateName as $TemplateName | select($roleTemplates | index($TemplateName)) | .metadata.name' script_bindings.json | jq -s) # since these bindings could be for users or groups, we need to include all fields which could help identify the subject. But they won't all be present, which makes the list look less pretty echo -e "The following is a list of bindings which give access to promoted resource, with the format of: bindingName, projectName, userName, userPrincipalName, groupName, groupPrincipalName: " echo $(jq --argjson bindings "$role_template_bindings" '.items[] | .metadata.name as $BindingName | select ( $bindings | index($BindingName)) | .metadata.name, .projectName, .userName?, .userPrincipalName?, .groupName?, .groupPrincipalName?' script_bindings.json | jq -s) unset old_roles unset new_roles unset roles unset role_template_bindings rm script_templates.json rm script_bindings.json