Skip to content

Commit

Permalink
moves TODOs to github issues
Browse files Browse the repository at this point in the history
  • Loading branch information
Skybound1 committed Nov 29, 2023
1 parent 852ce65 commit 3ab525c
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 9 deletions.
7 changes: 0 additions & 7 deletions icekube/attack_paths.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,15 +57,9 @@ def workload_query(
""",
# Subject -> Secret
"ACCESS_SECRET": "MATCH (src)-[:GRANTS_GET|GRANTS_LIST|GRANTS_WATCH]->(dest:Secret)",
# Create SA long lived token
# TODO: Need to account for then having permission to read secret
# "CREATE_SA_TOKEN_VIA_SECRET": "MATCH (src)-[:GRANTS_SECRET_CREATE]->"
# "(ns:Namespace)"
# "<-[:WITHIN_NAMESPACE]-(dest:ServiceAccount)",
# Generate service account token
"GENERATE_TOKEN": "MATCH (src)-[:GRANTS_TOKEN_CREATE]->(dest:ServiceAccount)",
# RBAC escalate verb to change a role to be more permissive
# TODO: expand to roles for other entities
"RBAC_ESCALATE_TO": [
# RoleBindings
"""
Expand All @@ -78,7 +72,6 @@ def workload_query(
WHERE (src)-[:GRANTS_PERMISSION]->(role)
""",
],
# TODO: RBAC Bind
# Subject -> User / Group / ServiceAccount
"GENERATE_CLIENT_CERTIFICATE": """
MATCH (src)-[:GRANTS_CERTIFICATESIGNINGREQUESTS_CREATE]->(cluster:Cluster), (dest)
Expand Down
3 changes: 1 addition & 2 deletions icekube/models/pod.py
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,6 @@ def dangerous_host_path(self) -> bool:
# Not all of these give direct node compromise, but will grant enough
# permissions to maybe steal certificates to help with API server
# as the node, or the like
# TODO: account for wildcards for /home/*/.ssh/, etc
dangerous_paths = [
"/etc/kubernetes/admin.conf",
"/etc/kubernetes/kubeconfig",
Expand Down Expand Up @@ -248,7 +247,7 @@ def relationships(
initial: bool = True,
) -> List[RELATIONSHIP]:
relationships = super().relationships()
# TODO: Also check if mounted

if self.service_account:
relationships += [(self, "USES_ACCOUNT", self.service_account)]
if self.node:
Expand Down

0 comments on commit 3ab525c

Please sign in to comment.