K8s provider: support KUBECONFIG environment variable containing multiple paths

[raesene]

What is not working?
Running Kubernetes Attacks when the user is using a KUBECONFIG environment variable

What OS are you using?
Mac OS X

What is your Stratus Red Team version?
2.3.0

Full output?
First run with KUBECONFIG set, output looks like this

stratus detonate k8s.persistence.create-token
2022/08/15 18:30:03 Checking your authentication against kubernetes
2022/08/15 18:30:03 unable to build kube config: stat /Users/rory.mccune/.kube/config:/Users/rory.mccune/.kube/kubeconfigs/kubeadm2nodeconfig.yaml:/Users/rory.mccune/.kube/kubeconfigs/traceeclusterconfig.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm122config.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadmcontainerd.yaml:/Users/rory.mccune/.kube/kubeconfigs/calicotracee.yaml:/Users/rory.mccune/.kube/kubeconfigs/kube123.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm118.yaml:/Users/rory.mccune/.kube/kubeconfigs/ubuntu2110.yaml:/Users/rory.mccune/.kube/kubeconfigs/kube124.yaml:/Users/rory.mccune/.kube/kubeconfigs/kubeadm123win.yaml: no such file or directory

If I then unset the KUBECONFIG variable the attack works ok.

stratus detonate k8s.persistence.create-token
2022/08/15 18:30:17 Checking your authentication against kubernetes
2022/08/15 18:30:18 Creating a long-lived token for the service account clusterrole-aggregation-controller in kube-system
2022/08/15 18:30:18 Successfully created a long-lived token valid for 1 year:

[christophetd]

Thanks for reporting! What behavior would you expect?

[raesene]

So I think the general expectation here is that Stratus would pick up the current-context being used by the user and send requests to the cluster in that context. This should work with environment variables and the default Kubernetes kubeconfig. At the moment stratus is handling some cases ok but not working with a case of an environment variable with multiple kubeconfigs in it.

It looks like the one way to set that is to use the NewDefaultClientConfigLoadingRules call in clientcmd . One example of a tool that uses it is rbac-police

[christophetd]

Stratus Red Team already picks up the current context - it should also honor the KUBECONFIG environment variable if it's set, c.f. https://github.com/DataDog/stratus-red-team/blob/main/v2/internal/providers/kubernetes.go#L51-L85, but it fails to consider that it may contain multiple paths separated by : (https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/#set-the-kubeconfig-environment-variable)

Thanks, updated the issue name to make clearer what we need to fix