test a container jwt token for capabilities

test_token.sh

#!/bin/bash

# test a containers service account token -rough-as-f but works

CA="/run/secrets/kubernetes.io/serviceaccount/ca.crt" # container level
TOKEN="/var/run/secrets/kubernetes.io/serviceaccount/token"

if [ ! -r $TOKEN ] ; then
  echo "ERROR: no token at $TOKEN"
  exit 1
fi

# display SA token details
JWT=$(cat $TOKEN | awk -F\. '{print $2}' | base64 -d 2>/dev/null)
echo $JWT | sed -e 's/,/,\n/g' && echo

# get API server URL
#{"aud":["https://kubernetes.default.svc.cluster.local"],"exp":
s=${JWT#*https}
e=${s%\"],\"exp*}

API="https$e"

echo "API: $API"

NS=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
echo "Namespace: $NS"


#echo "list capabilities - ignore api stuff - needs selfsubjectrulesreviews"
#$ALIAS auth can-i --list | grep -v "\[\/"

  for RES in logs nodes pods deployments replicasets services ingests secrets configmaps roles rolebindings clusterroles clusterrolebindings; do
    OUT=/tmp/.api_$RES.log
    echo "------------------------------------------------"
    echo "TEST get on $RES with ns: $N"
    curl -s -X GET $API/api/v1/namespaces/$NS/$RES/ --header "Authorization: Bearer $(cat $TOKEN)" --insecure -o $OUT
    OK=$(grep -c '"code": 403' $OUT)
    if [[ $OK -eq 0 ]] ; then
      cat $OUT
    else
      echo 403
      rm $OUT
    fi

  done
echo "==================================================="
ls -l /tmp/.api*.log
echo
echo