* Introducing active hunters:
- FootholdViaSecureKubeletPort
- MaliciousIntentViaSecureKubeletPort
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Testing
Update code according to expected testing standards and implementation.
* Update documentation.
- Added some more mitigations and updated the references list.
* f-string is missing placeholders.
- flake8 is marking this line as an issue as it lacks a placeholder when indicating the use of f-string; corrected.
* Update kubelet.py
- Add network_timeout parameter into requests.post and requests.get execution.
* Update kubelet.py
- Modified name of variable.
* Update kubelet.py and test_kubelet.py
- Remove certificate authority.
* Update kubelet.py and test_kubelet.py.
- Introducing default number of rm attempts.
* Update kubelet.py and test_kubelet.py.
- Introduced number of rmdir and umount attempts.
* Update kubelet.py
- Modified filename to match kube-hunter description.
* Update several files.
- Instated the use of self.event.session for GET and POST requests.
- Testing modified accordingly to complete coverage of changes and introduced methods.
- Requirements changed such that the required version that supports sessions mocking is obtained.
* Update kubelet.py
- Introduced warnings for the following commands in case of failure: rm, rmdir, and umount.
* Update kubelet.py
- Remove "self.__class__.__name___" from self.event.evidence.
* Update kubelet.py
- Remove unnecessary message section.
* Update files.
- Address class change.
- Fix testing failure after removing message section.
* Update kubelet.py
- Provide POD and CONTAINER as part of the warning messages in the log.
Co-authored-by: Abdullah Garcia <abdullah.garcia@jpmorgan.com>
Co-authored-by: Yehuda Chikvashvili <yehudaac1@gmail.com>
Co-authored-by: danielsagi <danielsagi2009@gmail.com>
* fixed f string
* fixed wrong iteration on list when getting random pod
* added '/' suffix to path on kubelet debug handlers tests
* also fixed minor bug in etcd, protocol was refrenced on the hunter and not on the event
* ran black format
* moved protocol to be https
* ran black again
* fixed PR comments
* ran black again, formatting
* added plugins submodule, created two hookspecs, one for adding arguments, one for running code after the argument parsing
* implemented plugins application on main file, changed mechanism for argument parsing
* changed previous parsing function to not create the ArgumentParser, and implemented it as a hook for the parsing mechanism
* added pluggy to required deps
* removed unecessary add_config import
* fixed formatting using black
* restored main link file from master
* moved import of parser to right before the register call, to avoid circular imports
* added tests for the plugins hooks
* removed blank line space
* black reformat
* Remove plugins
Current usage of plugins is not pluggable and includes logging
stuff.
Move this to conf/logging.
* Removed dynamic imports
* Add tests for hunters registration
* Fix "none" logging
Test for different logging levels, existing and none existing
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
Co-authored-by: Yehuda Chikvashvili <yehudaac1@gmail.com>
* Add network operations timeout
This commit adds --network-timeout flag, which value will be used for
network operations timeout configurable, so demanding user
can set it to desired value.
* Fix Dockerfile build
The Docker build used a 2-step installation of requirements
and application.
This was broken by #272.
Fixes#300
* Add dependencies cache for docker build
Caching installation requirements saves time when building
* Add PyInstaller build
Use PyInstaller to generate single binary.
Use staticx to generate a single static binary.
Resolves#301
* Add test Makefile target
Add test to Makefile.
Add requests_mock to dev dependencies.
* Inital Commit
Signed-off-by: Vipul Gupta (@vipulgupta2048) <vipulgupta2048@gmail.com>
* Suggestions implemented as suggested
Signed-off-by: Vipul Gupta (@vipulgupta2048) <vipulgupta2048@gmail.com>
* Package with setuptools
Use setuptools to package kube-hunter as redistributable file.
Once packages, it can be pushed to PyPi.
The package version is taken from git tags (using setuptools_scm).
Closes#185
* Ignore __main__.py script in code coverage
The entrypoint script should not be tested but rather be calling
to tested modules.
Ideally, __main__ should only make a call to single function from
another tested module.
* Update requirements files
Use install_requires from setup.cfg file as single source of truth
for dependencies.
Install regular dependencies when installing dev dependencies.
* Symlink kube-hunter.py to entry point
Support the old way to run kube-hunter via the main script by making
a link to the new kube_hunter/__main__.py script.
Co-authored-by: Yehuda Chikvashvili <yehudaac1@gmail.com>
* Fix empty report when active hunting
Running kube-hunter active hunting with plain report
did not show any report.
This commit changes Vulnerability.vid default value
to "None" (previously None)
Closes#280
* Improve debug and exception messages
Debugging hunters execution is hard due to lack of debug
information. No indication is made when a hunter starts.
Exceptions where printed without stack trace, which made
it difficult to follow.
* Remove __main__ references and create a top-level config module
* Move conf module into separate standalone package
* Deprecate install_imports.py script
* Rename root package to kube_hunter
The previous src root package name was too generic and not unique,
so it can be used as external name.
Change `src` to `kube_hunter` so it can be referenced in a clear way.
Addtional changes made on the way:
* Make imports absolute
* Formatting
Relates to #185
* remove todos
Co-authored-by: Ryan Lahfa <masterancpp@gmail.com>
Co-authored-by: Itay Shakury <itay@itaysk.com>
* Consider patched versions as not vulnerable by default
Change `--ignore-downstream` to `--ignore-patched-versions` and
invert it's effect.
From now on, kube-hunter will not alert patched components as default
behavior.
Resolves#194
* Rename flag --ignore-patched-versions to --include-patched-versions
/usr/bin/env python generally is defaulted to the version set by the linux flavour. On some distros it's python 2 and 3 on others, changing it to python3 might work
