Cascading Hook with Label Selector fails in 3.5.x #887
Description
🐞 Bug report
Describe the bug
When starting a nmap scan like:
apiVersion: execution.securecodebox.io/v1
kind: Scan
metadata:
name: nmap-test
spec:
scanType: "nmap"
parameters:
- "192.168.178.0/24"
cascades:
inheritLabels: true
inheritAnnotations: true
matchLabels:
# Uses all CascadingRules in the namespace which are labelled as "non-invasive" and a intensiveness level of "light"
securecodebox.io/invasive: non-invasive
securecodebox.io/intensive: lightThe cascading hook fails with the following error:
Logs
Starting hook for Scan "nmap-test"
Fetched 354 findings from the file storage
Fetching CascadingScans using LabelSelector: "securecodebox.io/intensive=light,securecodebox.io/invasive=non-invasive"
Failed to get CascadingRules from the kubernetes api
HttpError: HTTP request failed
at Request._callback (/home/app/hook-wrapper/hook/node_modules/@kubernetes/client-node/dist/gen/api/customObjectsApi.js:1472:36)
at Request.self.callback (/home/app/hook-wrapper/hook/node_modules/request/request.js:185:22)
at Request.emit (events.js:400:28)
at Request.<anonymous> (/home/app/hook-wrapper/hook/node_modules/request/request.js:1154:10)
at Request.emit (events.js:400:28)
at IncomingMessage.<anonymous> (/home/app/hook-wrapper/hook/node_modules/request/request.js:1076:12)
at Object.onceWrapper (events.js:519:28)
at IncomingMessage.emit (events.js:412:35)
at endReadableNT (internal/streams/readable.js:1334:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21) {
response: <ref *1> IncomingMessage {
_readableState: ReadableState {
objectMode: false,
highWaterMark: 16384,
buffer: BufferList { head: null, tail: null, length: 0 },
length: 0,
pipes: [],
flowing: true,
ended: true,
endEmitted: true,
reading: false,
sync: true,
needReadable: false,
emittedReadable: false,
readableListening: false,
resumeScheduled: false,
errorEmitted: false,
emitClose: true,
autoDestroy: false,
destroyed: false,
errored: null,
closed: false,
closeEmitted: false,
defaultEncoding: 'utf8',
awaitDrainWriters: null,
multiAwaitDrain: false,
readingMore: true,
dataEmitted: true,
decoder: null,
encoding: null,
[Symbol(kPaused)]: false
},
_events: [Object: null prototype] {
end: [Array],
close: [Array],
data: [Function (anonymous)],
error: [Function (anonymous)]
},
_eventsCount: 4,
_maxListeners: undefined,
socket: TLSSocket {
_tlsOptions: [Object],
_secureEstablished: true,
_securePending: false,
_newSessionPending: false,
_controlReleased: true,
secureConnecting: false,
_SNICallback: null,
servername: false,
alpnProtocol: false,
authorized: true,
authorizationError: null,
encrypted: true,
_events: [Object: null prototype],
_eventsCount: 10,
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: [ReadableState],
_maxListeners: undefined,
_writableState: [WritableState],
allowHalfOpen: false,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: undefined,
_server: null,
ssl: [TLSWrap],
_requestCert: true,
_rejectUnauthorized: true,
parser: null,
_httpMessage: [ClientRequest],
[Symbol(res)]: [TLSWrap],
[Symbol(verified)]: true,
[Symbol(pendingSession)]: null,
[Symbol(async_id_symbol)]: 316,
[Symbol(kHandle)]: [TLSWrap],
[Symbol(kSetNoDelay)]: false,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kCapture)]: false,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0,
[Symbol(connect-options)]: [Object],
[Symbol(RequestTimeout)]: undefined
},
httpVersionMajor: 1,
httpVersionMinor: 1,
httpVersion: '1.1',
complete: true,
headers: {
'cache-control': 'no-cache, private',
'content-type': 'application/json',
'x-kubernetes-pf-flowschema-uid': '8e1b79e6-b874-4387-92f0-b14828dfee19',
'x-kubernetes-pf-prioritylevel-uid': '5847f3eb-cb2a-45b8-b53f-51edb5ef5b8c',
date: 'Wed, 15 Dec 2021 13:21:49 GMT',
'content-length': '168',
connection: 'close'
},
rawHeaders: [
'Cache-Control',
'no-cache, private',
'Content-Type',
'application/json',
'X-Kubernetes-Pf-Flowschema-Uid',
'8e1b79e6-b874-4387-92f0-b14828dfee19',
'X-Kubernetes-Pf-Prioritylevel-Uid',
'5847f3eb-cb2a-45b8-b53f-51edb5ef5b8c',
'Date',
'Wed, 15 Dec 2021 13:21:49 GMT',
'Content-Length',
'168',
'Connection',
'close'
],
trailers: {},
rawTrailers: [],
aborted: false,
upgrade: false,
url: '',
method: null,
statusCode: 400,
statusMessage: 'Bad Request',
client: TLSSocket {
_tlsOptions: [Object],
_secureEstablished: true,
_securePending: false,
_newSessionPending: false,
_controlReleased: true,
secureConnecting: false,
_SNICallback: null,
servername: false,
alpnProtocol: false,
authorized: true,
authorizationError: null,
encrypted: true,
_events: [Object: null prototype],
_eventsCount: 10,
connecting: false,
_hadError: false,
_parent: null,
_host: null,
_readableState: [ReadableState],
_maxListeners: undefined,
_writableState: [WritableState],
allowHalfOpen: false,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: undefined,
_server: null,
ssl: [TLSWrap],
_requestCert: true,
_rejectUnauthorized: true,
parser: null,
_httpMessage: [ClientRequest],
[Symbol(res)]: [TLSWrap],
[Symbol(verified)]: true,
[Symbol(pendingSession)]: null,
[Symbol(async_id_symbol)]: 316,
[Symbol(kHandle)]: [TLSWrap],
[Symbol(kSetNoDelay)]: false,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kCapture)]: false,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0,
[Symbol(connect-options)]: [Object],
[Symbol(RequestTimeout)]: undefined
},
_consuming: false,
_dumped: false,
req: ClientRequest {
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
outputData: [],
outputSize: 0,
writable: true,
destroyed: false,
_last: true,
chunkedEncoding: false,
shouldKeepAlive: false,
_defaultKeepAlive: true,
useChunkedEncodingByDefault: false,
sendDate: false,
_removedConnection: false,
_removedContLen: false,
_removedTE: false,
_contentLength: 0,
_hasBody: true,
_trailer: '',
finished: true,
_headerSent: true,
socket: [TLSSocket],
_header: 'GET /apis/cascading.securecodebox.io/v1/namespaces/foobar/cascadingrules?fieldSelector=securecodebox.io%2Fintensive%3Dlight%2Csecurecodebox.io%2Finvasive%3Dnon-invasive HTTP/1.1\r\n' +
'Accept: application/json\r\n' +
'Authorization: Bearer x.x.x\r\n' +
'host: 10.43.0.1\r\n' +
'Connection: close\r\n' +
'\r\n',
_keepAliveTimeout: 0,
_onPendingData: [Function: noopPendingOutput],
agent: [Agent],
socketPath: undefined,
method: 'GET',
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
path: '/apis/cascading.securecodebox.io/v1/namespaces/foobar/cascadingrules?fieldSelector=securecodebox.io%2Fintensive%3Dlight%2Csecurecodebox.io%2Finvasive%3Dnon-invasive',
_ended: true,
res: [Circular *1],
aborted: false,
timeoutCb: null,
upgradeOrConnect: false,
parser: null,
maxHeadersCount: null,
reusedSocket: false,
host: '10.43.0.1',
protocol: 'https:',
[Symbol(kCapture)]: false,
[Symbol(kNeedDrain)]: false,
[Symbol(corked)]: 0,
[Symbol(kOutHeaders)]: [Object: null prototype]
},
request: Request {
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
method: 'GET',
headers: [Object],
uri: [Url],
useQuerystring: false,
ca: <Buffer 2d 2d 2d 2d 2d 42 45 47 49 4e 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 4d 49 49 42 56 7a 43 42 2f 71 41 44 41 67 45 43 41 67 45 41 4d 41 ... 476 more bytes>,
callback: [Function (anonymous)],
readable: true,
writable: true,
explicitMethod: true,
_qs: [Querystring],
_auth: [Auth],
_oauth: [OAuth],
_multipart: [Multipart],
_redirect: [Redirect],
_tunnel: [Tunnel],
setHeader: [Function (anonymous)],
hasHeader: [Function (anonymous)],
getHeader: [Function (anonymous)],
removeHeader: [Function (anonymous)],
localAddress: undefined,
pool: [Object],
dests: [],
__isRequestRequest: true,
_callback: [Function (anonymous)],
proxy: null,
tunnel: true,
setHost: true,
originalCookieHeader: undefined,
_disableCookies: true,
_jar: undefined,
port: '443',
host: '10.43.0.1',
url: [Url],
path: '/apis/cascading.securecodebox.io/v1/namespaces/foobar/cascadingrules?fieldSelector=securecodebox.io%2Fintensive%3Dlight%2Csecurecodebox.io%2Finvasive%3Dnon-invasive',
_json: true,
httpModule: [Object],
agentClass: [Function: Agent],
agent: [Agent],
_started: true,
href: 'https://10.43.0.1:443/apis/cascading.securecodebox.io/v1/namespaces/foobar/cascadingrules?fieldSelector=securecodebox.io%2Fintensive%3Dlight%2Csecurecodebox.io%2Finvasive%3Dnon-invasive',
req: [ClientRequest],
ntick: true,
response: [Circular *1],
originalHost: '10.43.0.1',
originalHostHeaderName: 'host',
responseContent: [Circular *1],
_destdata: true,
_ended: true,
_callbackCalled: true,
[Symbol(kCapture)]: false
},
toJSON: [Function: responseToJSON],
caseless: Caseless { dict: [Object] },
body: {
kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message: 'field label not supported: securecodebox.io/intensive',
reason: 'BadRequest',
code: 400
},
[Symbol(kCapture)]: false,
[Symbol(RequestTimeout)]: undefined
},
body: {
kind: 'Status',
apiVersion: 'v1',
metadata: {},
status: 'Failure',
message: 'field label not supported: securecodebox.io/intensive',
reason: 'BadRequest',
code: 400
},
statusCode: 400
}Expected behavior
Doesn't crash 🙃
System (please complete the following information):
- secureCodeBox 3.5.1
- Kubernetes Version 1.20
Additional context
Might be related to the recent code changes to the hook?
Looks weird that it is apparently using the field-selector, when it should use a label selector 🤔
@EndPositive any ideas?