github/kube-hunter
1
0
Fork 0
mirror of https://github.com/aquasecurity/kube-hunter.git synced 2026-05-11 03:37:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Only guard 'publish_event(ServiceAccountTokenAccess(..))' with needing the service account

Browse Source
This commit is contained in:
Nick Hibberd
2019-01-06 16:53:23 -08:00
parent 7a85962a0d
commit eb462086e0
1 changed files with 19 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
src/modules/hunting/apiserver.py
View File

@@ -328,56 +328,32 @@ class AccessApiServerViaServiceAccountToken(Hunter):
if self.get_service_account_token():
self.publish_event(ServiceAccountTokenAccess(self.service_account_token_evidence))
if self.access_api_server():
self.publish_event(ServerApiAccess(self.api_server_evidence))
if self.get_all_namespaces():
self.publish_event(ListAllNamespaces(self.all_namespaces_names_evidence))
if self.access_api_server():
self.publish_event(ServerApiAccess(self.api_server_evidence))
if self.get_pods_list_under_requested_scope():
self.publish_event(ListPodUnderAllNamespaces(self.namespaces_and_their_pod_names))
else:
if self.get_pods_list_under_requested_scope(scope='namespaces/default'):
self.publish_event(ListPodUnderDefaultNamespace(self.namespaces_and_their_pod_names))
if self.get_all_namespaces():
self.publish_event(ListAllNamespaces(self.all_namespaces_names_evidence))
if self.get_all_roles():
self.publish_event(ListAllRoles(self.all_roles_names_evidence))
else:
if self.get_roles_under_default_namespace():
self.publish_event(ListAllRolesUnderDefaultNamespace(
self.roles_names_under_default_namespace_evidence))
if self.get_all_cluster_roles():
self.publish_event(ListAllClusterRoles(self.all_cluster_roles_names_evidence))
# At this point we know we got the service_account_token, and we might got all of the namespaces
self.publish_event(ApiServerPassiveHunterFinished(self.all_namespaces_names_evidence,
self.service_account_token_evidence,
self.event.host, self.event.port))
if self.get_pods_list_under_requested_scope():
self.publish_event(ListPodUnderAllNamespaces(self.namespaces_and_their_pod_names))
else:
logging.debug('No service account token found, verifiying anonymous access.')
if self.get_all_namespaces():
self.publish_event(ListAllNamespaces(self.all_namespaces_names_evidence))
if self.get_pods_list_under_requested_scope(scope='namespaces/default'):
self.publish_event(ListPodUnderDefaultNamespace(self.namespaces_and_their_pod_names))
if self.get_pods_list_under_requested_scope():
self.publish_event(ListPodUnderAllNamespaces(self.namespaces_and_their_pod_names))
else:
if self.get_pods_list_under_requested_scope(scope='namespaces/default'):
self.publish_event(ListPodUnderDefaultNamespace(self.namespaces_and_their_pod_names))
if self.get_all_roles():
self.publish_event(ListAllRoles(self.all_roles_names_evidence))
else:
if self.get_roles_under_default_namespace():
self.publish_event(ListAllRolesUnderDefaultNamespace(
if self.get_all_roles():
self.publish_event(ListAllRoles(self.all_roles_names_evidence))
else:
if self.get_roles_under_default_namespace():
self.publish_event(ListAllRolesUnderDefaultNamespace(
self.roles_names_under_default_namespace_evidence))
if self.get_all_cluster_roles():
self.publish_event(ListAllClusterRoles(self.all_cluster_roles_names_evidence))
# At this point we know we got the service_account_token, and we might got all of the namespaces
self.publish_event(ApiServerPassiveHunterFinished(self.all_namespaces_names_evidence,
self.service_account_token_evidence,
self.event.host, self.event.port))
if self.get_all_cluster_roles():
self.publish_event(ListAllClusterRoles(self.all_cluster_roles_names_evidence))
# At this point we know we got the service_account_token, and we might got all of the namespaces
self.publish_event(ApiServerPassiveHunterFinished(self.all_namespaces_names_evidence,
self.service_account_token_evidence,
self.event.host, self.event.port))
# Active Hunter