From 6b223c9548d48675596eb0e9d1cc8a8e01435dfc Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Sun, 26 May 2019 15:35:02 +0200 Subject: k8s: Obtain relevant information from Rancher This patch introduces Rancher queries using its CLI client. It depends on having utility binary located in PATH and providing configuration file prior first use. Issue-ID: SECCOM-235 Change-Id: Idb011e27b4801c5700b4482656463849736298da Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/rancher/rancher.go | 87 ++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 test/security/k8s/src/check/rancher/rancher.go (limited to 'test/security/k8s/src/check/rancher') diff --git a/test/security/k8s/src/check/rancher/rancher.go b/test/security/k8s/src/check/rancher/rancher.go new file mode 100644 index 000000000..d60b73b65 --- /dev/null +++ b/test/security/k8s/src/check/rancher/rancher.go @@ -0,0 +1,87 @@ +// Package rancher wraps Rancher commands necessary for K8s inspection. +package rancher + +import ( + "bytes" + "errors" + "os/exec" +) + +const ( + bin = "rancher" + paramHost = "--host" + cmdHosts = "hosts" + cmdHostsParams = "--quiet" + cmdDocker = "docker" + cmdDockerCmdPs = "ps" + cmdDockerCmdPsParams = "--no-trunc" + cmdDockerCmdPsFilter = "--filter" + cmdDockerCmdPsFilterArgs = "label=io.rancher.stack_service.name=kubernetes/kubernetes" + cmdDockerCmdPsFormat = "--format" + cmdDockerCmdPsFormatArgs = "{{.Command}}" + k8sProcess = "kube-apiserver" +) + +// GetK8sParams returns parameters of running Kubernetes API server. +// It queries default environment set in configuration file. +func GetK8sParams() ([]string, error) { + hosts, err := listHosts() + if err != nil { + return []string{}, err + } + + for _, host := range hosts { + cmd, err := getK8sCmd(host) + if err != nil { + return []string{}, err + } + + if len(cmd) > 0 { + i := bytes.Index(cmd, []byte(k8sProcess)) + if i == -1 { + return []string{}, errors.New("missing " + k8sProcess + " command") + } + return btos(cmd[i+len(k8sProcess):]), nil + } + } + return []string{}, nil +} + +// listHosts lists IDs of active hosts. +// It queries default environment set in configuration file. +func listHosts() ([]string, error) { + cmd := exec.Command(bin, cmdHosts, cmdHostsParams) + out, err := cmd.Output() + if err != nil { + return nil, err + } + return btos(out), nil +} + +// getK8sCmd returns running Kubernetes API server command with its parameters. +// It queries default environment set in configuration file. +func getK8sCmd(host string) ([]byte, error) { + // Following is equivalent to: + // $ rancher --host $HOST \ + // docker ps --no-trunc \ + // --filter "label=io.rancher.stack_service.name=kubernetes/kubernetes" \ + // --format "{{.Command}}" + cmd := exec.Command(bin, paramHost, host, + cmdDocker, cmdDockerCmdPs, cmdDockerCmdPsParams, + cmdDockerCmdPsFilter, cmdDockerCmdPsFilterArgs, + cmdDockerCmdPsFormat, cmdDockerCmdPsFormatArgs) + out, err := cmd.Output() + if err != nil { + return nil, err + } + return out, nil +} + +// btos converts slice of bytes to slice of strings split by white space characters. +func btos(in []byte) []string { + var out []string + for _, b := range bytes.Fields(in) { + out = append(out, string(b)) + } + return out +} -- cgit 1.2.3-korg