mirror of
https://github.com/aquasecurity/kube-hunter.git
synced 2026-02-14 18:09:56 +00:00
Soumyadeep Sinha
committed by
Yehuda Chikvashvili
Yehuda Chikvashvili
parent
195ce52111
commit
300fd117c9
@@ -4,7 +4,7 @@ Thank you for taking interest in contributing to kube-hunter !
|
||||
- Feel free to open issues for any reason as long as you make it clear if this issue is about a bug/feature/hunter/question/comment.
|
||||
- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
|
||||
- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
|
||||
- The issue should clearly explain the reason for opening, the proposal if you have any, and any technical information that's relevant.
|
||||
- The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
|
||||
|
||||
## Pull Requests
|
||||
|
||||
@@ -13,7 +13,7 @@ Thank you for taking interest in contributing to kube-hunter !
|
||||
1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
|
||||
1. Please add the associated Issue in the PR description.
|
||||
1. There's no need to add or tag reviewers.
|
||||
1. If a reviewer commented on your code, or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
|
||||
1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
|
||||
1. Please include a comment with the results before and after your change.
|
||||
1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
|
||||
|
||||
@@ -23,4 +23,4 @@ If you are contributing a new hunter:
|
||||
1. When you open an issue to present the hunter, please specify which `Vulnerability` classes you plan to add.
|
||||
1. A maintainer will assign each `Vulnerability` a VID for you to include in your hunter code.
|
||||
1. Please add a KB article to `/docs/kb/` explaining the vulnerability and suggesting remediation steps. Look at other articles for examples.
|
||||
1. Please adhere to the following types convention: Use `Hunter` class to report vulnerabilities, `ActiveHunter` if your Hunter might change the state of the cluster, and `Discovery` for scanning the cluster (all are descendants of `HunterBase`). Also, use the `Vulnerability` class to report findings, and `Service` to report a discovery to be used by a hunter (both are descendants of `Event`, refrain from using `Event` directly).
|
||||
1. Please adhere to the following types convention: Use `Hunter` class to report vulnerabilities, `ActiveHunter` if your Hunter might change the state of the cluster, and `Discovery` for scanning the cluster (all are descendants of `HunterBase`). Also, use the `Vulnerability` class to report findings, and `Service` to report a discovery to be used by a hunter (both are descendants of `Event`, refrain from using `Event` directly).
|
||||
|
||||
10
README.md
10
README.md
@@ -9,7 +9,7 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
|
||||
|
||||
**Run kube-hunter**: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at [kube-hunter.aquasec.com](https://kube-hunter.aquasec.com) where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.
|
||||
|
||||
**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read [Guidelines For Developing Your First kube-hunter Module](src/README.md).
|
||||
**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](src/README.md).
|
||||
|
||||
[](https://youtu.be/s2-6rTkH8a8?t=57s)
|
||||
|
||||
@@ -37,7 +37,7 @@ Run kube-hunter on any machine (including your laptop), select Remote scanning a
|
||||
|
||||
You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.
|
||||
|
||||
You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).
|
||||
You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example).
|
||||
|
||||
### Scanning options
|
||||
|
||||
@@ -59,7 +59,7 @@ To specify a specific CIDR to scan, use the `--cidr` option. Example:
|
||||
|
||||
### Active Hunting
|
||||
|
||||
Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities.
|
||||
Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, to explore for further vulnerabilities.
|
||||
The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing operations on the cluster, **which could be harmful**.
|
||||
|
||||
By default, kube-hunter does not do active hunting. To active hunt a cluster, use the `--active` flag. Example:
|
||||
@@ -132,8 +132,8 @@ If you run the kube-hunter container with the host network it will be able to pr
|
||||
|
||||
`docker run -it --rm --network host aquasec/kube-hunter`
|
||||
|
||||
_Note for Docker for Mac/Windows:_ Be aware that the "host" for Docker for Mac or Windows is the VM which Docker runs containers within. Therefore specifying `--network host` allows kube-hunter access to the network interfaces of that VM, rather than those of your machine.
|
||||
By default kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.
|
||||
_Note for Docker for Mac/Windows:_ Be aware that the "host" for Docker for Mac or Windows is the VM that Docker runs containers within. Therefore specifying `--network host` allows kube-hunter access to the network interfaces of that VM, rather than those of your machine.
|
||||
By default, kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.
|
||||
|
||||
`docker run --rm aquasec/kube-hunter --cidr 192.168.0.0/24`
|
||||
|
||||
|
||||
Reference in New Issue
Block a user