-
Notifications
You must be signed in to change notification settings - Fork 2
/
10_api_operations.sh
64 lines (41 loc) · 2.23 KB
/
10_api_operations.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Check all possible clusters, as your .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
# Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="kubernetes"
# Point to the API server referring the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
# Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)
# Create a cluster role to allow list operations with default service account
kubectl apply -f - <<EOF
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: service-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "services", "nodes"]
verbs: ["get", "watch", "list"]
EOF
# Associate cluster role to service account
kubectl create clusterrolebinding service-reader-pod \
--clusterrole=service-reader \
--serviceaccount=default:default
-----
# Using direct access to K8s API server
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
# Using FortiWeb acces with Open API protection
curl -X GET https://192.168.100.40:6443/api --header "Authorization: Bearer $TOKEN" --insecure
-----
# Pod listing
curl -X GET $APISERVER/api/v1/namespaces/default/pods --header "Authorization: Bearer $TOKEN" --insecure
curl -X GET https://192.168.100.40:6443/api/v1/namespaces/default/pods --header "Authorization: Bearer $TOKEN" --insecure
-----
# SQL injection test case
curl -X GET "$APISERVER/api?param=SELECT * FROM external" --header "Authorization: Bearer $TOKEN" --insecure
curl -X GET "https://192.168.100.40:6443/api?param=SELECT * FROM external" --header "Authorization: Bearer $TOKEN" --insecure
-----
# Wrong parameters test case (limit should be numeric)
curl -X GET $APISERVER/api/v1/namespaces/default/pods?limit=de --header "Authorization: Bearer $TOKEN" --insecure
curl -X GET https://192.168.100.40:6443/api/v1/namespaces/default/pods?limit=de --header "Authorization: Bearer $TOKEN" --insecure