Skip to content

Instantly share code, notes, and snippets.

@mohclips

mohclips/test_token.sh

Created February 28, 2022 23:26
Show Gist options
  • Save mohclips/c8cb7a088c5588064845c5a0b2e68fff to your computer and use it in GitHub Desktop.
Save mohclips/c8cb7a088c5588064845c5a0b2e68fff to your computer and use it in GitHub Desktop.
Download ZIP
test a container jwt token for capabilities
Raw
test_token.sh
#!/bin/bash
# test a containers service account token -rough-as-f but works
CA="/run/secrets/kubernetes.io/serviceaccount/ca.crt" # container level
TOKEN="/var/run/secrets/kubernetes.io/serviceaccount/token"
if [ ! -r $TOKEN ] ; then
echo "ERROR: no token at $TOKEN"
exit 1
fi
# display SA token details
JWT=$(cat $TOKEN | awk -F\. '{print $2}' | base64 -d 2>/dev/null)
echo $JWT | sed -e 's/,/,\n/g' && echo
# get API server URL
#{"aud":["https://kubernetes.default.svc.cluster.local"],"exp":
s=${JWT#*https}
e=${s%\"],\"exp*}
API="https$e"
echo "API: $API"
NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
echo "Namespace: $NS"
#echo "list capabilities - ignore api stuff - needs selfsubjectrulesreviews"
#$ALIAS auth can-i --list | grep -v "\[\/"
for RES in logs nodes pods deployments replicasets services ingests secrets configmaps roles rolebindings clusterroles clusterrolebindings; do
OUT=/tmp/.api_$RES.log
echo "------------------------------------------------"
echo "TEST get on $RES with ns: $N"
curl -s -X GET $API/api/v1/namespaces/$NS/$RES/ --header "Authorization: Bearer $(cat $TOKEN)" --insecure -o $OUT
OK=$(grep -c '"code": 403' $OUT)
if [[ $OK -eq 0 ]] ; then
cat $OUT
else
echo 403
rm $OUT
fi
done
echo "==================================================="
ls -l /tmp/.api*.log
echo
echo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment