Invalid value for `rules`, must not be `None`

Question

Invalid value for `rules`, must not be `None`

joaogabriel-mb opened this issue 5 years ago · comments

Hi,

I'm trying to use Kubiscan in my AWS EKS environment. I ran with docker and copied my ~/.aws and aws-iam-authentication to the container and I was able to run kubiscan -rr for example without problems but some commands I got the following stack trace:

below are some args that are I tried

-rcr
-rar
-rb
-rcb
-rs
-rp
--all

Traceback (most recent call last):
File "/KubiScan/KubiScan.py", line 534, in
main()
File "/KubiScan/KubiScan.py", line 469, in main
print_all_risky_containers()
File "/KubiScan/KubiScan.py", line 92, in print_all_risky_containers
pods = engine.utils.get_risky_pods()
File "/KubiScan/engine/utils.py", line 306, in get_risky_pods
risky_users = get_all_risky_subjects()
File "/KubiScan/engine/utils.py", line 219, in get_all_risky_subjects
all_risky_rolebindings = get_all_risky_rolebinding()
File "/KubiScan/engine/utils.py", line 186, in get_all_risky_rolebinding
all_risky_roles = get_risky_roles_and_clusterroles()
File "/KubiScan/engine/utils.py", line 134, in get_risky_roles_and_clusterroles
risky_clusterroles = get_risky_clusterroles()
File "/KubiScan/engine/utils.py", line 144, in get_risky_clusterroles
return get_risky_role_by_kind('ClusterRole')
File "/KubiScan/engine/utils.py", line 124, in get_risky_role_by_kind
all_roles = get_roles_by_kind(kind)
File "/KubiScan/engine/utils.py", line 117, in get_roles_by_kind
all_roles = api_client.RbacAuthorizationV1Api.list_cluster_role()
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/rbac_authorization_v1_api.py", line 1618, in list_cluster_role
(data) = self.list_cluster_role_with_http_info(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/apis/rbac_authorization_v1_api.py", line 1715, in list_cluster_role_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 321, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 163, in __call_api
return_data = self.deserialize(response_data, response_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 236, in deserialize
return self.__deserialize(data, response_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 276, in __deserialize
return self.__deserialize_model(data, klass)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 620, in __deserialize_model
kwargs[attr] = self.__deserialize(value, attr_type)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 254, in __deserialize
for sub_data in data]
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 254, in
for sub_data in data]
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 276, in __deserialize
return self.__deserialize_model(data, klass)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/api_client.py", line 622, in __deserialize_model
instance = klass(**kwargs)
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/models/v1_cluster_role.py", line 69, in init
self.rules = rules
File "/usr/local/lib/python3.6/dist-packages/kubernetes/client/models/v1_cluster_role.py", line 184, in rules
raise ValueError("Invalid value for rules, must not be None")
ValueError: Invalid value for rules, must not be None

Eviatar Gerzi · Answer 1 · Fri Dec 14 2018 21:41:35 GMT+0800 (China Standard Time)

Hi,

This exception happens because of an opened bug on Kubernetes Python Client library.
When there is a query to object with None field in arrays, it thorw exception and exit the program.
In your case, it because some of your ClusterRoles (the exception starts when there is a call to list_cluster_role()) have None rules.

When I created this tool I had the [https://github.com/kubernetes-client/python/issues/577](similar issue) with ClusterRoleBinding where the subjects field was None.
In my case I created a temporary package named api_client_temp.py and solve it for the list_cluster_role_binding() function.

But I had a feeling that it might happend in future functions.
I will fix it also for list_cluster_role() and update you.

Basically, once the origin bug will be solved in Kubernetes Python Client library, I will remove those fixes.

Eviatar Gerzi · Answer 2 · Sat Dec 15 2018 05:01:06 GMT+0800 (China Standard Time)

Can you also share the errors from -rb, -rcb and -rs ?

I want to see if there are other functions with the same issue.

Eviatar Gerzi · Answer 3 · Sun Dec 16 2018 18:51:22 GMT+0800 (China Standard Time)

Hi,

I made some changes can you check again -rcr ?

I added support to list_cluster_role here.
And replaced the original function with the new one here.

joaogabriel-mb · Answer 4 · Tue Dec 18 2018 02:39:19 GMT+0800 (China Standard Time)

I'm sorry for being late with the response, I was out from the internet this last weekend.

Now everything works, thank you for your support.

Eviatar Gerzi · Answer 5 · Tue Dec 18 2018 03:04:52 GMT+0800 (China Standard Time)

It's OK :)
Thank you for openning this bug, it helps to make the tool better for others.