在 kubernetes 中找出使用 jdk9 及以上版本的应用

在 kubernetes 中找出使用 jdk9 及以上版本的应用

2022-3-30
Technology
Golang, Kubernetes

一个漏洞 #

近日,在 Spring Cloud (SPEL) 中发现 RCE 0-day 漏洞,发布在Ots安全中,公众号文章如下:

spring-cloud-sce-0day

为了排查 kubernetes 中所有存在安全威胁的应用,特地开发了一个小工具来寻找。该工具基于 golang&client-go 开发, 程序会找出当前集群中所有 Running 的 pods, 然后逐个进入容器,执行 java -version 命令,将命令输出打印到文件中,使用编辑器进行查找检索即可。

源代码 #

代码量不大,这里直接贴出main.go的代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

package main

import (
	"bytes"
	"context"
	"flag"
	"fmt"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/kubernetes/scheme"
	"k8s.io/client-go/rest"
	"k8s.io/client-go/tools/clientcmd"
	"k8s.io/client-go/tools/remotecommand"
	"strings"
)

func main() {
	kubeconfig := flag.String("kubeconfig", "", "absolute path to the kubeconfig file")
	flag.Parse()

	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
	if err != nil {
		panic(err.Error())
	}

	clientset, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err.Error())
	}

	pods, err := clientset.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{
		FieldSelector: "status.phase=Running",
	})
	if err != nil {
		panic(err.Error())
	}
	fmt.Printf("There are %d  running pods in the cluster\n", len(pods.Items))

	for _, item := range pods.Items {
		stdout, stderr, err := execInPod(config, item.Namespace, item.Name, item.Spec.Containers[0].Name)
		if err != nil {
			continue
		}
		fmt.Printf("--> %v/%v/%v\n", item.Namespace, item.Name, item.Spec.Containers[0].Name)
		fmt.Println(stderr)
		fmt.Println(stdout)
	}
}

func execInPod(config *rest.Config, namespace, podName, containerName string) (string, string, error) {
	clientset, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err.Error())
	}
	req := clientset.CoreV1().RESTClient().Post().
		Resource("pods").Name(podName).Namespace(namespace).
		SubResource("exec").
		Param("container", containerName)
	req.VersionedParams(
		&corev1.PodExecOptions{
			Command: []string{"java", "-version"},
			Stdin:   false,
			Stdout:  true,
			Stderr:  true,
			TTY:     false,
		},
		scheme.ParameterCodec,
	)

	var stdout, stderr bytes.Buffer
	exec, err := remotecommand.NewSPDYExecutor(config, "POST", req.URL())
	if err != nil {
		return "", "", err
	}
	err = exec.Stream(remotecommand.StreamOptions{
		Stdin:  nil,
		Stdout: &stdout,
		Stderr: &stderr,
	})
	if err != nil {
		return "", "", err
	}

	return strings.TrimSpace(stdout.String()), strings.TrimSpace(stderr.String()), err
}

使用方式 #

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

mkdir execjava-versioninpod
cd execjava-versioninpod
vi main.go
# 将上述代码粘贴进去
:wq
go mod init example.com/execjava-versioninpod
go mod tidy
go build .
kubectl config use-context <context-name> \
&& ./execjava-versioninpod \
  --kubeconfig=$HOME/.kube/config > java-version-outputs.txt

打印的文件java-version-outputs.txt的内容如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

There are 11  running pods in the cluster
--> default/tomcat-7cf47cf6b4-7bbqr/tomcat
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)

--> default/tomcat-7cf47cf6b4-jcp7k/tomcat
openjdk version "1.8.0_292"
OpenJDK Runtime Environment (build 1.8.0_292-b10)
OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)
...

使用常规的文本编辑器打开该文件,检索 jdk9 及以上版本的 pod 即可,至此完成~