Output
~~~~~~
+.. code-block:: shell
+
+ $ ./sslendpoints -kubeconfig ~/.kube/config.onap
+ 2020/03/17 10:40:29 Host 192.168.2.10
+ 2020/03/17 10:40:29 PORT SERVICE
+ 2020/03/17 10:40:29 30203 sdnc-dgbuilder
+ 2020/03/17 10:40:29 30204 sdc-be
+ 2020/03/17 10:40:29 30207 sdc-fe
+ 2020/03/17 10:40:29 30220 aai-sparky-be
+ 2020/03/17 10:40:29 30226 message-router
+ 2020/03/17 10:40:29 30233 aai
+ 2020/03/17 10:40:29 30256 sdc-wfd-fe
+ 2020/03/17 10:40:29 30257 sdc-wfd-be
+ 2020/03/17 10:40:29 30264 sdc-dcae-fe
+ 2020/03/17 10:40:29 30266 sdc-dcae-dt
+ 2020/03/17 10:40:29 30279 aai-babel
+ 2020/03/17 10:40:29 30406 so-vnfm-adapter
+ 2020/03/17 10:40:29 There are 12 non-SSL NodePorts in the cluster
+
Testing
-------
github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
+github.com/Ullaakut/nmap v2.0.0+incompatible h1:tNXub052dsnG8+yrgpph9nhVixIBdpRRgzvmQoc8eBA=
+github.com/Ullaakut/nmap v2.0.0+incompatible/go.mod h1:fkC066hwfcoKwlI7DS2ARTggSVtBTZYCjVH1TzuTMaQ=
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
"log"
"os"
"path/filepath"
+ "strconv"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
+ "github.com/Ullaakut/nmap"
+
"onap.local/sslendpoints/ports"
)
+const (
+ ipv4AddrType = "ipv4"
+)
+
func main() {
var kubeconfig *string
if home := os.Getenv("HOME"); home != "" {
log.Println("There are no NodePorts in the cluster")
os.Exit(0)
}
- log.Printf("There are %d NodePorts in the cluster\n", len(nodeports))
- os.Exit(len(nodeports))
+
+ // TODO: filter out expected failures here before running the scan
+
+ // extract ports for running the scan
+ var ports []string
+ for port := range nodeports {
+ ports = append(ports, strconv.Itoa(int(port)))
+ }
+
+ // run nmap on the first address found for given cluster [1] filtering out SSL-tunelled ports
+ // [1] https://kubernetes.io/docs/concepts/services-networking/service/#nodeport
+ // "Each node proxies that port (the same port number on every Node) into your Service."
+ scanner, err := nmap.NewScanner(
+ nmap.WithTargets(addresses[0]),
+ nmap.WithPorts(ports...),
+ nmap.WithServiceInfo(),
+ nmap.WithTimingTemplate(nmap.TimingAggressive),
+ nmap.WithFilterPort(func(p nmap.Port) bool {
+ return p.Service.Tunnel == "ssl"
+ }),
+ )
+ if err != nil {
+ log.Panicf("Unable to create nmap scanner: %v", err)
+ }
+
+ result, _, err := scanner.Run()
+ if err != nil {
+ log.Panicf("Scan failed: %v", err)
+ }
+
+ // scan was run on a single host
+ if len(result.Hosts) < 1 {
+ log.Panicln("No host information in scan results")
+ }
+
+ // host address in the results might be ipv4 or mac
+ for _, address := range result.Hosts[0].Addresses {
+ if address.AddrType == ipv4AddrType {
+ log.Printf("Host %s\n", address)
+ }
+ }
+ log.Printf("PORT\tSERVICE")
+ for _, port := range result.Hosts[0].Ports {
+ log.Printf("%d\t%s\n", port.ID, nodeports[port.ID])
+ }
+
+ // report non-SSL services and their number
+ log.Printf("There are %d non-SSL NodePorts in the cluster\n", len(result.Hosts[0].Ports))
+ os.Exit(len(result.Hosts[0].Ports))
}