From 7296805d58ea08bd9dfd1cc95159ae169c3eda30 Mon Sep 17 00:00:00 2001 From: Liz Rice Date: Mon, 4 Mar 2019 13:47:49 +0000 Subject: [PATCH] Only create per-namespace objects if we have found namespaces --- src/modules/hunting/apiserver.py | 75 ++++++++++++++++---------------- 1 file changed, 38 insertions(+), 37 deletions(-) diff --git a/src/modules/hunting/apiserver.py b/src/modules/hunting/apiserver.py index e448b37..95cd6f4 100644 --- a/src/modules/hunting/apiserver.py +++ b/src/modules/hunting/apiserver.py @@ -476,6 +476,7 @@ class AccessApiServerActive(ActiveHunter, AccessApiServer): data=data) def execute(self): + # Try creating cluster-wide objects namespace = self.create_namespace() if namespace: self.publish_event(CreateANamespace('new namespace name: {name}'.format(name=namespace))) @@ -498,48 +499,48 @@ class AccessApiServerActive(ActiveHunter, AccessApiServer): name=cluster_role, delete_timestamp=delete_timestamp))) # Try attacking all the namespaces we know about - for namespace in self.event.namespaces: - # Try creating and deleting a privileged pod - pod_name = self.create_a_pod(namespace, True) - if pod_name: - self.publish_event(CreateAPrivilegedPod('Pod Name: {pod_name} Namespace: {namespace}'.format( - pod_name=pod_name, namespace=namespace))) - delete_time = self.delete_a_pod(namespace, pod_name) - if delete_time: - self.publish_event(DeleteAPod('Pod Name: {pod_name} deletion time: {delete_time}'.format( - pod_name=pod_name, delete_evidence=delete_time))) - - # Try creating, patching and deleting an unprivileged pod - pod_name = self.create_a_pod(namespace, False) - if pod_name: - self.publish_event(CreateAPod('Pod Name: {pod_name} Namespace: {namespace}'.format( - pod_name=pod_name, namespace=namespace))) + if self.event.namespaces: + for namespace in self.event.namespaces: + # Try creating and deleting a privileged pod + pod_name = self.create_a_pod(namespace, True) + if pod_name: + self.publish_event(CreateAPrivilegedPod('Pod Name: {pod_name} Namespace: {namespace}'.format( + pod_name=pod_name, namespace=namespace))) + delete_time = self.delete_a_pod(namespace, pod_name) + if delete_time: + self.publish_event(DeleteAPod('Pod Name: {pod_name} deletion time: {delete_time}'.format( + pod_name=pod_name, delete_evidence=delete_time))) + + # Try creating, patching and deleting an unprivileged pod + pod_name = self.create_a_pod(namespace, False) + if pod_name: + self.publish_event(CreateAPod('Pod Name: {pod_name} Namespace: {namespace}'.format( + pod_name=pod_name, namespace=namespace))) - patch_evidence = self.patch_a_pod(namespace, pod_name) - if patch_evidence: - self.publish_event(PatchAPod('Pod Name: {pod_name} Namespace: {namespace} Patch evidence: {patch_evidence}'.format( - pod_name=pod_name, namespace=namespace, - patch_evidence=patch_evidence))) + patch_evidence = self.patch_a_pod(namespace, pod_name) + if patch_evidence: + self.publish_event(PatchAPod('Pod Name: {pod_name} Namespace: {namespace} Patch evidence: {patch_evidence}'.format( + pod_name=pod_name, namespace=namespace, + patch_evidence=patch_evidence))) - delete_time = self.delete_a_pod(namespace, pod_name) - if delete_time: - self.publish_event(DeleteAPod('Pod Name: {pod_name} Namespace: {namespace} Delete time: {delete_time}'.format( - pod_name=pod_name, namespace=namespace, delete_time=delete_time))) + delete_time = self.delete_a_pod(namespace, pod_name) + if delete_time: + self.publish_event(DeleteAPod('Pod Name: {pod_name} Namespace: {namespace} Delete time: {delete_time}'.format( + pod_name=pod_name, namespace=namespace, delete_time=delete_time))) - # Roles Api Calls: - role = self.create_a_role(namespace) - if role: - self.publish_event(CreateARole('Role name: {name}'.format(name=role))) + role = self.create_a_role(namespace) + if role: + self.publish_event(CreateARole('Role name: {name}'.format(name=role))) - patch_evidence = self.patch_a_role(namespace, role) - if patch_evidence: - self.publish_event(PatchARole('Patched Role Name: {name} Namespace: {namespace} Patch evidence: {patch_evidence}'.format( - name=role, namespace=namespace, patch_evidence=patch_evidence))) + patch_evidence = self.patch_a_role(namespace, role) + if patch_evidence: + self.publish_event(PatchARole('Patched Role Name: {name} Namespace: {namespace} Patch evidence: {patch_evidence}'.format( + name=role, namespace=namespace, patch_evidence=patch_evidence))) - delete_time = self.delete_a_role(namespace, role) - if delete_time: - self.publish_event(DeleteARole('Deleted role: {name} Namespace: {namespace} Delete time: {delete_time}'.format( - name=role, namespace=namespace, delete_time=delete_time))) + delete_time = self.delete_a_role(namespace, role) + if delete_time: + self.publish_event(DeleteARole('Deleted role: {name} Namespace: {namespace} Delete time: {delete_time}'.format( + name=role, namespace=namespace, delete_time=delete_time))) # Note: we are not binding any role or cluster role because