Skip to content

Parser service account cannot get resource parsedefinitions #2003

New issue
New issue
Closed
#2309
#2078
Closed
Parser service account cannot get resource parsedefinitions#2003
#2309
#2078
Assignees
J12934
Labels
bugBugs
@moxli

Description

@moxli
moxli
opened on Oct 4, 2023

🐞 Bug report

Describe the bug

I am seeing the following error in my parser pod logs:

Nikto:

parsedefinitions.execution.securecodebox.io "nikto-json" is forbidden: User "system:serviceaccount:securecodebox:parser" cannot get resource "parsedefinitions" in API group "execution.securecodebox.io" in the namespace "securecodebox"

ZAP:

parsedefinitions.execution.securecodebox.io "zap-xml" is forbidden: User "system:serviceaccount:securecodebox:parser" cannot get resource "parsedefinitions" in API group "execution.securecodebox.io" in the namespace "securecodebox"

The pod will stop with exit code 1:

    State:          Terminated
      Reason:       Error
      Exit Code:    1
      Started:      Sun, 01 Oct 2023 20:32:22 +0200
      Finished:     Sun, 01 Oct 2023 20:32:24 +0200
    Ready:          False
    Restart Count:  0

Steps To Reproduce

Steps to reproduce the behavior:

  1. Install (or upgrade?) version 4.1.0
  2. Create a Nikto or ZAP scan
  3. See the error in the parser pod after the scan has finished

Expected behavior

I expect SecureCodeBox to set the correct rolebindings for me, so the parser can run without errors.

Should the parser service account have the clusterrole parsedefinition-viewer-role assigned?

System (please complete the following information):

  • secureCodeBox Version/Release: 4.1.0
  • OS: Linux
  • Kubernetes Version: v1.24.14-gke.2700
  • Docker: N/A

Screenshots / Logs

Parser Pod Logs:

  body: {
    kind: 'Status',
    apiVersion: 'v1',
    metadata: {},
    status: 'Failure',
    message: 'parsedefinitions.execution.securecodebox.io "nikto-json" is forbidden: User "system:serviceaccount:securecodebox:parser" cannot get resource "parsedefinitions" in API group "execution.securecodebox.io" in the namespace "securecodebox"',
    reason: 'Forbidden',
    details: {
      name: 'nikto-json',
      group: 'execution.securecodebox.io',
      kind: 'parsedefinitions'
    },
    code: 403
  },
  statusCode: 403

Additional context

The issue started occuring after I have upgraded to SecureCodeBox 4.1.0!

I also upgraded the following CRDs to make the 4.1.0 release work:

 k apply -f https://github.com/secureCodeBox/secureCodeBox/raw/v4.1.0/operator/crds/execution.securecodebox.io_clusterparsedefinitions.yaml
 k apply -f https://github.com/secureCodeBox/secureCodeBox/raw/v4.1.0/operator/crds/execution.securecodebox.io_parsedefinitions.yaml
 k apply -f https://github.com/secureCodeBox/secureCodeBox/raw/v4.1.0/operator/crds/execution.securecodebox.io_scheduledscans.yaml

Rolebindings (k get rolebindings.rbac.authorization.k8s.io):

NAME                          ROLE                        AGE
leader-election-rolebinding   Role/leader-election-role   6d17h
lurker                        Role/lurker                 20d
parser                        Role/parser                 20d
scan-completion-hook          Role/scan-completion-hook   20d

Clusterroles (k get clusterroles.rbac.authorization.k8s.io | grep parse)

parsedefinition-editor-role                                            2023-09-27T15:34:44Z
parsedefinition-viewer-role                                            2023-09-27T15:34:44Z

Metadata

Metadata

Assignees

Labels

bugBugs

Type

No type

Projects

secureCodeBox

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions