dvaz script to validate if k8s `mutating/validating` webhooks have their SAN configured or not

validate-webhook.sh

#!/bin/sh

MUTATING_WEBHOOKS=($(kubectl get mutatingwebhookconfiguration -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'))
VALIDATING_WEBHOOKS=($(kubectl get validatingwebhookconfigurations -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'))


# Check Mutating WebHooks
echo ":: Checking Mutating WebHooks ::"
echo "::____________________________::"

for i in "${MUTATING_WEBHOOKS[@]}"; do
  echo ":: Checking $i ::"

  SERVICE="$(kubectl get mutatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.service.name}{"\n"}{end}' | uniq)"

  if [ -z "$SERVICE" ]
  then
    echo "This Mutating WebHook is using a URL as Backend:"
    echo "  > $(kubectl get mutatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.url}{"\n"}{end}')"
    echo -e "\n"
  else
    NAMESPACE="$(kubectl get mutatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.service.namespace}{"\n"}{end}' | uniq)"
    TARGET_PORT="$(kubectl get svc $SERVICE -n $NAMESPACE -o jsonpath='{.spec.ports[0].targetPort}')"
    POD_NAME="$(kubectl get po -n $NAMESPACE -l=$(kubectl get svc $SERVICE -n $NAMESPACE -o wide | awk '{print $7}' | tail -n 1) -o name)"

    echo "Service: $SERVICE"
    echo "Namespace: $NAMESPACE"
    echo "Target Port: $TARGET_PORT"
    echo "Pod Name: $POD_NAME"

    kubectl port-forward $POD_NAME -n $NAMESPACE 10250:$TARGET_PORT > /dev/null 2>&1 &
    # Grab PID
    PID=$!
    # Wait for Port 10250 to become available
    while ! nc -vz localhost 10250 > /dev/null 2>&1 ; do
        sleep 0.1
    done

    # Check Cert and kill PID
    echo "Certificate SAN Section:"
    openssl s_client -connect localhost:10250 </dev/null 2> /dev/null  | openssl x509 -noout -text | grep 'Subject Alternative Name' -A1
    kill $PID

    echo -e "\n"
  fi
done

# Check Mutating WebHooks
echo ":: Checking Validating WebHooks ::"
echo "::____________________________::"

for i in "${VALIDATING_WEBHOOKS[@]}"; do
  echo ":: Checking $i ::"

  SERVICE="$(kubectl get validatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.service.name}{"\n"}{end}' | uniq)"

  if [ -z "$SERVICE" ]
  then
    echo "This Validating WebHook is using a URL as Backend:"
    echo "  > $(kubectl get validatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.url}{"\n"}{end}')"
    echo -e "\n"
  else
    NAMESPACE="$(kubectl get validatingwebhookconfigurations $i -o jsonpath='{range .webhooks[*]}{.clientConfig.service.namespace}{"\n"}{end}' | uniq)"
    TARGET_PORT="$(kubectl get svc $SERVICE -n $NAMESPACE -o jsonpath='{.spec.ports[0].targetPort}')"
    POD_NAME="$(kubectl get po -n $NAMESPACE -l=$(kubectl get svc $SERVICE -n $NAMESPACE -o wide | awk '{print $7}' | tail -n 1) -o name)"

    echo "Service: $SERVICE"
    echo "Namespace: $NAMESPACE"
    echo "Target Port: $TARGET_PORT"
    echo "Pod Name: $POD_NAME"

    kubectl port-forward $POD_NAME -n $NAMESPACE 10250:$TARGET_PORT > /dev/null 2>&1 &
    # Grab PID
    PID=$!
    # Wait for Port 10250 to become available
    while ! nc -vz localhost 10250 > /dev/null 2>&1 ; do
        sleep 0.1
    done

    # Check Cert and kill PID
    echo "Certificate SAN Section:"
    openssl s_client -connect localhost:10250 </dev/null 2> /dev/null  | openssl x509 -noout -text | grep 'Subject Alternative Name' -A1
    kill $PID

    echo -e "\n"
  fi
done