Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

race condition if scanning multiple kustomization overlays with unknown base #6845

Open
tylergmuir opened this issue Nov 15, 2024 · 0 comments
Open

race condition if scanning multiple kustomization overlays with unknown base #6845

tylergmuir opened this issue Nov 15, 2024 · 0 comments
Labels
crash

Comments

@tylergmuir
Copy link

Describe the issue
When attempting to scan multiple Kustomization overlays with an unknown base it causes multiple file streams on the same path resulting in a crash.

Examples
Here is the files for a minimal reproducible example:

#!base/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - serviceaccount.yaml

#!base/serviceaccount.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sample-sa

#!overlays/overlay1/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../base

#!overlays/overlay1/kustomization.yaml
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../base

Then by running checkov --framework kustomize -d overlays it will result in a crash. Due to this being a race condition, it may not be reproducible 100% of the time with only 2 overlays. In my experience it is nearly 100% reproducible with this simple example, but on more complex examples it may work as expected some or all of the time.

Exception Trace
Please share the trace for the exception and all relevant output by checkov.
To maximize the understanding, please run checkov with LOG_LEVEL set to debug
as follows:

LOG_LEVEL=DEBUG checkov ...
2024-11-15 15:11:49,719 [MainThread  ] [INFO ]  Ran kubectl to build Kustomize output. DIR: /tmp/sample/overlays/production. TYPE: overlay.
2024-11-15 15:11:49,719 [MainThread  ] [INFO ]  Ran kubectl to build Kustomize output. DIR: /tmp/sample/overlays/development. TYPE: overlay.
2024-11-15 15:11:49,719 [MainThread  ] [DEBUG]  Kustomize: Overlay with unknown base. User may have specified overlay dir directly. /tmp/sample/overlays/development
2024-11-15 15:11:49,719 [MainThread  ] [DEBUG]  Kustomize: Overlay with unknown base. User may have specified overlay dir directly. /tmp/sample/overlays/production
2024-11-15 15:11:49,719 [MainThread  ] [DEBUG]  Kustomize: Temporary directory for /tmp/sample/overlays/development at /var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5
2024-11-15 15:11:49,720 [MainThread  ] [DEBUG]  Kustomize: Temporary directory for /tmp/sample/overlays/production at /var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5
Process Process-2:
Process Process-3:
Traceback (most recent call last):
Traceback (most recent call last):
  File "/usr/local/Cellar/[email protected]/3.12.6/Frameworks/Python.framework/Versions/3.12/lib/python3.12/multiprocessing/process.py", line 314, in _bootstrap
    self.run()
  File "/usr/local/Cellar/[email protected]/3.12.6/Frameworks/Python.framework/Versions/3.12/lib/python3.12/multiprocessing/process.py", line 314, in _bootstrap
    self.run()
  File "/usr/local/Cellar/[email protected]/3.12.6/Frameworks/Python.framework/Versions/3.12/lib/python3.12/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/usr/local/Cellar/[email protected]/3.12.6/Frameworks/Python.framework/Versions/3.12/lib/python3.12/multiprocessing/process.py", line 108, in run
    self._target(*self._args, **self._kwargs)
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 660, in _run_kustomize_parser
    Runner._parse_output(output, file_path, kustomize_processed_folder_and_meta, target_folder_path, shared_kustomize_file_mappings)
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 660, in _run_kustomize_parser
    Runner._parse_output(output, file_path, kustomize_processed_folder_and_meta, target_folder_path, shared_kustomize_file_mappings)
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 647, in _parse_output
    Runner._curWriterValidateStoreMapAndClose(cur_writer, file_path, shared_kustomize_file_mappings)
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 647, in _parse_output
    Runner._curWriterValidateStoreMapAndClose(cur_writer, file_path, shared_kustomize_file_mappings)
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 774, in _curWriterValidateStoreMapAndClose
    currentYamlObject = yaml.safe_load(f)
                        ^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/checkov/kustomize/runner.py", line 774, in _curWriterValidateStoreMapAndClose
    currentYamlObject = yaml.safe_load(f)
                        ^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/__init__.py", line 125, in safe_load
    return load(stream, SafeLoader)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/__init__.py", line 125, in safe_load
    return load(stream, SafeLoader)
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/__init__.py", line 81, in load
    return loader.get_single_data()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/__init__.py", line 81, in load
    return loader.get_single_data()
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/constructor.py", line 49, in get_single_data
    node = self.get_single_node()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/constructor.py", line 49, in get_single_data
    node = self.get_single_node()
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/composer.py", line 41, in get_single_node
    raise ComposerError("expected a single document in the stream",
  File "/tmp/.venv/lib/python3.12/site-packages/yaml/composer.py", line 41, in get_single_node
    raise ComposerError("expected a single document in the stream",
yaml.composer.ComposerError: expected a single document in the stream
  in "/var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5/0", line 2, column 1
but found another document
  in "/var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5/0", line 6, column 1
yaml.composer.ComposerError: expected a single document in the stream
  in "/var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5/0", line 2, column 1
but found another document
  in "/var/folders/k0/8t66wc751s9b1l172gvnfp1w0000gq/T/tmp_vuup_h5/0", line 6, column 1

Desktop (please complete the following information):

  • OS: Mac OS 15.1 (Intel)
  • Checkov Version 3.2.296

Additional context
This appears to be a result of this line:

checkov/checkov/kustomize/runner.py

Line 585 in 3e46e49

env_or_base_path_prefix = ""

This line currently causes all overlays with unknown bases to use the same temp path resulting in multiple file streams using the same path and file name.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crash
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tylergmuir