Invalid value for `rules`, must not be `None`
joaogabriel-mb opened this issue · comments
Hi,
I'm trying to use Kubiscan in my AWS EKS environment. I ran with docker and copied my ~/.aws
and aws-iam-authentication
to the container and I was able to run kubiscan -rr
for example without problems but some commands I got the following stack trace:
below are some args that are I tried
- -rcr
- -rar
- -rb
- -rcb
- -rs
- -rp
- --all
Traceback (most recent call last):
File "/KubiScan/KubiScan.py", line 534, in
main()
File "/KubiScan/KubiScan.py", line 469, in main
print_all_risky_containers()
File "/KubiScan/KubiScan.py", line 92, in print_all_risky_containers
pods = engine.utils.get_risky_pods()
File "/KubiScan/engine/utils.py", line 306, in get_risky_pods
risky_users = get_all_risky_subjects()
File "/KubiScan/engine/utils.py", line 219, in get_all_risky_subjects
all_risky_rolebindings = get_all_risky_rolebinding()
File "/KubiScan/engine/utils.py", line 186, in get_all_risky_rolebinding
all_risky_roles = get_risky_roles_and_clusterroles()
File "/KubiScan/engine/utils.py", line 134, in get_risky_roles_and_clusterroles
risky_clusterroles = get_risky_clusterroles()
File "/KubiScan/engine/utils.py", line 144, in get_risky_clusterroles
return get_risky_role_by_kind('ClusterRole')
File "/KubiScan/engine/utils.py", line 124, in get_risky_role_by_kind
all_roles = get_roles_by_kind(kind)
File "/KubiScan/engine/utils.py", line 117, in get_roles_by_kind
all_roles = api_client.RbacAuthorizationV1Api.list_cluster_role()
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/rbac_authorization_v1_api.py", line 1618, in list_cluster_role
(data) = self.list_cluster_role_with_http_info(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/rbac_authorization_v1_api.py", line 1715, in list_cluster_role_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 321, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 163, in __call_api
return_data = self.deserialize(response_data, response_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 236, in deserialize
return self.__deserialize(data, response_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 276, in __deserialize
return self.__deserialize_model(data, klass)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 620, in __deserialize_model
kwargs[attr] = self.__deserialize(value, attr_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 254, in __deserialize
for sub_data in data]
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 254, in
for sub_data in data]
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 276, in __deserialize
return self.__deserialize_model(data, klass)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 622, in __deserialize_model
instance = klass(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/models/v1_cluster_role.py", line 69, in init
self.rules = rules
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/models/v1_cluster_role.py", line 184, in rules
raise ValueError("Invalid value forrules
, must not beNone
")
ValueError: Invalid value forrules
, must not beNone
Hi,
This exception happens because of an opened bug on Kubernetes Python Client library.
When there is a query to object with None
field in arrays, it thorw exception and exit the program.
In your case, it because some of your ClusterRoles (the exception starts when there is a call to list_cluster_role()
) have None
rules.
When I created this tool I had the [https://github.com/kubernetes-client/python/issues/577](similar issue) with ClusterRoleBinding where the subjects
field was None
.
In my case I created a temporary package named api_client_temp.py
and solve it for the list_cluster_role_binding()
function.
But I had a feeling that it might happend in future functions.
I will fix it also for list_cluster_role()
and update you.
Basically, once the origin bug will be solved in Kubernetes Python Client library, I will remove those fixes.
Can you also share the errors from -rb
, -rcb
and -rs
?
I want to see if there are other functions with the same issue.
I'm sorry for being late with the response, I was out from the internet this last weekend.
Now everything works, thank you for your support.
It's OK :)
Thank you for openning this bug, it helps to make the tool better for others.