* Refactored all categories to the new MITRE attack matrix format
* Changed format of vulnerabilities table to display the mitre technique related to the vulnerability
* removed redundant call for /pods again from /var/log mount hunter, by using multiple subscription
* fixed new linting
* fixed linting with exceptions
* Add a new dependency on Kubernetes package
* Add and store a new flag about automatic nodes discovery from a pod
* Implement the listing of nodes
* Add tests to cover the k8s node listing
* Fix the k8s listing test to ensure the load incluster function is actually called
* Add more help to the k8s node discovery flags, and cross-reference them.
* Add a note on the Kubernetes auto-discovery in the main README file
* Move the kubernetes discovery from conf to modules/discovery
* When running with --pods, run the Kubernetes auto discovery
* Also mention that the auto discovery is always on when using --pod
Co-authored-by: Mikolaj Pawlikowski <mpawlikowsk1@bloomberg.net>
* Add multiple subscription mechanism
* PR: address comments
* improved implementation, solved a couple of bugs, added documentation to almost the whole backend process
* added corresponding tests to the new method of the multiple subscription
* fixed linting issue
* fixed linting #2
Co-authored-by: Raito Bezarius <masterancpp@gmail.com>
* removed false negative in AzureSpnHunter when /run is disabled
* changed to use direct imported class
* fixed multiple bugs in azure spn hunting, and improved efficency
* fixed bug in cloud identification. TODO: remove the outsourcing for cloud provider
* removed unused config variable
* fixed tests to use already parsed pods as the given previous event has changed
* Introducing active hunters:
- FootholdViaSecureKubeletPort
- MaliciousIntentViaSecureKubeletPort
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Format
Updating code according to expected linting format.
* Testing
Update code according to expected testing standards and implementation.
* Update documentation.
- Added some more mitigations and updated the references list.
* f-string is missing placeholders.
- flake8 is marking this line as an issue as it lacks a placeholder when indicating the use of f-string; corrected.
* Update kubelet.py
- Add network_timeout parameter into requests.post and requests.get execution.
* Update kubelet.py
- Modified name of variable.
* Update kubelet.py and test_kubelet.py
- Remove certificate authority.
* Update kubelet.py and test_kubelet.py.
- Introducing default number of rm attempts.
* Update kubelet.py and test_kubelet.py.
- Introduced number of rmdir and umount attempts.
* Update kubelet.py
- Modified filename to match kube-hunter description.
* Update several files.
- Instated the use of self.event.session for GET and POST requests.
- Testing modified accordingly to complete coverage of changes and introduced methods.
- Requirements changed such that the required version that supports sessions mocking is obtained.
* Update kubelet.py
- Introduced warnings for the following commands in case of failure: rm, rmdir, and umount.
* Update kubelet.py
- Remove "self.__class__.__name___" from self.event.evidence.
* Update kubelet.py
- Remove unnecessary message section.
* Update files.
- Address class change.
- Fix testing failure after removing message section.
* Update kubelet.py
- Provide POD and CONTAINER as part of the warning messages in the log.
Co-authored-by: Abdullah Garcia <abdullah.garcia@jpmorgan.com>
Co-authored-by: Yehuda Chikvashvili <yehudaac1@gmail.com>
Co-authored-by: danielsagi <danielsagi2009@gmail.com>
* added plugins submodule, created two hookspecs, one for adding arguments, one for running code after the argument parsing
* implemented plugins application on main file, changed mechanism for argument parsing
* changed previous parsing function to not create the ArgumentParser, and implemented it as a hook for the parsing mechanism
* added pluggy to required deps
* removed unecessary add_config import
* fixed formatting using black
* restored main link file from master
* moved import of parser to right before the register call, to avoid circular imports
* added tests for the plugins hooks
* removed blank line space
* black reformat
* Remove plugins
Current usage of plugins is not pluggable and includes logging
stuff.
Move this to conf/logging.
* Removed dynamic imports
* Add tests for hunters registration
* Fix "none" logging
Test for different logging levels, existing and none existing
Co-authored-by: yoavrotems <yoavrotems97@gmail.com>
Co-authored-by: Yehuda Chikvashvili <yehudaac1@gmail.com>
* Remove __main__ references and create a top-level config module
* Move conf module into separate standalone package
* Deprecate install_imports.py script
* Rename root package to kube_hunter
The previous src root package name was too generic and not unique,
so it can be used as external name.
Change `src` to `kube_hunter` so it can be referenced in a clear way.
Addtional changes made on the way:
* Make imports absolute
* Formatting
Relates to #185
* remove todos
Co-authored-by: Ryan Lahfa <masterancpp@gmail.com>
Co-authored-by: Itay Shakury <itay@itaysk.com>
* Consider patched versions as not vulnerable by default
Change `--ignore-downstream` to `--ignore-patched-versions` and
invert it's effect.
From now on, kube-hunter will not alert patched components as default
behavior.
Resolves#194
* Rename flag --ignore-patched-versions to --include-patched-versions
* Ignore downstream version flag
This commit adds `--ignore-downstream` flag to kube-hunter.
Enabling the flag will make kube-hunter considering patched versions
as not vulnerable.
Resolves#179
* Add test cases and refine argument description
* added basic metrics server discovery
* improved discovery, and added KNOWN PORTS usage
* improved apiserver decision
* fixed bug with comparison of IP addresses in kubeservicehost
* improved description of api server discovery
* added checks with auth_token on discovery
* fixed bug in version requests and added to tests
* added an abstract 'unrecognized API' event, and a filter for it for classification
* changed filtering to be done on the same event
* fixed verify on session and removed unnecessary enum
* minor changes to comments
* added detailed explanation
* changed version hunting to be on a a new version disclosure vulnerability
* fixed version publish
* added logging and fixed typo
* changed whole way of comparing versions in cve hunter
* changed K8sVersionDisclosure vulnerability to one core vulnerability, that takes an endpoint. changed all usage
* added tests
* merged kubectl cve hunting with apiserver hunting. and simplified the code of apiserver cve hunting
* fixed tests to new names
* changed name of module to cves.py
* drastically improved the cve vulnerble detection utility function. now works with all types of versioning methods
* added packaging in requirementes.txt
* added another test, and improved logic on cve comparison for more complicated versions
* changed CveHunter to subscribe_once, to prevent duplicates duplicates
* fixed tests for new improvements
* removed unnecessary ternary on doc
* removed unnecessary join split
* improved compare function, made it util
* improved cve checking to use mapping
