Merge pull request aws-samples#6 from aws-samples/skip-certificate-ve…

…rification feat: Add a cli option for skipping tls verification
joshkurz · Dec 15, 2022 · 7c041d8 · 7c041d8
2 parents eb5cf86 + 1842855
commit 7c041d8
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ hardeneks [OPTIONS]
 * `--cluster TEXT`: EKS Cluster name
 * `--namespace TEXT`: Namespace to be checked (default is all namespaces)
 * `--config TEXT`: Path to a hardeneks config file
+* `--insecure-skip-tls-verify`: Skip TLS verification
 * `--help`: Show this message and exit.
 
 

diff --git a/hardeneks/__init__.py b/hardeneks/__init__.py
@@ -1,5 +1,8 @@
+import os
 from pathlib import Path
 from pkg_resources import resource_filename
+import tempfile
+import urllib3
 import yaml
 
 from botocore.exceptions import EndpointConnectionError
@@ -63,6 +66,22 @@ def _get_region():
     return boto3.session.Session().region_name
 
 
+def _load_kube_config():
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    kube_config_orig = f"{Path.home()}/.kube/config"
+    tmp_config = tempfile.NamedTemporaryFile().name
+
+    with open(kube_config_orig, "r") as fd:
+        kubeconfig = yaml.load(fd, Loader=yaml.FullLoader)
+    for cluster in kubeconfig["clusters"]:
+        cluster["cluster"]["insecure-skip-tls-verify"] = True
+    with open(tmp_config, "w") as fd:
+        yaml.dump(kubeconfig, fd, default_flow_style=False)
+
+    kubernetes.config.load_kube_config(tmp_config)
+    os.remove(tmp_config)
+
+
 @app.command()
 def run_hardeneks(
     region: str = typer.Option(
@@ -82,6 +101,10 @@ def run_hardeneks(
         callback=_config_callback,
         help="Path to a hardeneks config file.",
     ),
+    insecure_skip_tls_verify: bool = typer.Option(
+        False,
+        "--insecure-skip-tls-verify",
+    ),
 ):
     """
     Main entry point to hardeneks.
@@ -92,14 +115,19 @@ def run_hardeneks(
         cluster (str): Cluster name
         namespace (str): Specific namespace to be checked
         config (str): Path to hardeneks config file
+        insecure-skip-tls-verify (str): Skip tls verification
 
     Returns:
         None
 
     """
+    if insecure_skip_tls_verify:
+        _load_kube_config()
+    else:
+        kubernetes.config.load_kube_config(context=context)
 
-    kubernetes.config.load_kube_config(context=context)
     context = _get_current_context(context)
+
     if not cluster:
         cluster = _get_cluster_name(context, region)