minor readme change

README.md

@@ -27,21 +27,27 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
 Table of Contents
 =================
 
-* [Hunting](#hunting)
-   * [Where should I run kube-hunter?](#where-should-i-run-kube-hunter)
-   * [Scanning options](#scanning-options)
-   * [Active Hunting](#active-hunting)
-   * [List of tests](#list-of-tests)
-   * [Nodes Mapping](#nodes-mapping)
-   * [Output](#output)
-   * [Dispatching](#dispatching)
-   * [Advanced Usage](#advanced-usage)
-* [Deployment](#deployment)
-   * [On Machine](#on-machine)
-      * [Prerequisites](#prerequisites)
-   * [Container](#container)
-   * [Pod](#pod)
-* [Contribution](#contribution)
+- [Table of Contents](#table-of-contents)
+  - [Hunting](#hunting)
+    - [Where should I run kube-hunter?](#where-should-i-run-kube-hunter)
+    - [Scanning options](#scanning-options)
+    - [Authentication](#authentication)
+    - [Active Hunting](#active-hunting)
+    - [List of tests](#list-of-tests)
+    - [Nodes Mapping](#nodes-mapping)
+    - [Output](#output)
+    - [Dispatching](#dispatching)
+    - [Advanced Usage](#advanced-usage)
+      - [Azure Quick Scanning](#azure-quick-scanning)
+  - [Deployment](#deployment)
+    - [On Machine](#on-machine)
+      - [Prerequisites](#prerequisites)
+        - [Install with pip](#install-with-pip)
+        - [Run from source](#run-from-source)
+    - [Container](#container)
+    - [Pod](#pod)
+  - [Contribution](#contribution)
+  - [License](#license)
          
 ## Hunting
 
@@ -53,7 +59,7 @@ Run kube-hunter on any machine (including your laptop), select Remote scanning a
 
 You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.
 
-You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example).
+You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example). (_`--pod` flag_)
 
 ### Scanning options
 
@@ -82,6 +88,20 @@ Set `--k8s-auto-discover-nodes` flag to query Kubernetes for all nodes in the cl
 
 Also note, that this is always done when using `--pod` mode.
 
+### Authentication
+In order to mimic an attacker in it's early stages, kube-hunter requires no authentication for the hunt. 
+
+* **Impersonate** - You can provide kube-hunter with a specific service account token to use when hunting by manually passing the JWT Bearer token of the service-account secret with the `--service-account-token` flag. 
+
+   Example:
+   ```bash
+   $ kube-hunter --active --service-account-token eyJhbGciOiJSUzI1Ni...
+   ```
+
+* When runing with `--pod` flag, kube-hunter uses the service account token [mounted inside the pod](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) to authenticate to services it finds during the hunt.
+  * if specified, `--service-account-token` flag takes priority when running as a pod
+
+
 ### Active Hunting
 
 Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, to explore for further vulnerabilities.

kube_hunter/__main__.py

@@ -26,6 +26,7 @@ config = Config(
     remote=args.remote,
     statistics=args.statistics,
     k8s_auto_discover_nodes=args.k8s_auto_discover_nodes,
+    service_account_token=args.service_account_token,
     kubeconfig=args.kubeconfig,
 )
 setup_logger(args.log, args.log_file)

kube_hunter/conf/__init__.py

@@ -37,6 +37,7 @@ class Config:
     reporter: Optional[Any] = None
     statistics: bool = False
     k8s_auto_discover_nodes: bool = False
+    service_account_token: Optional[str] = None
     kubeconfig: Optional[str] = None
 
 

kube_hunter/conf/parser.py

@@ -57,6 +57,14 @@ def parser_add_arguments(parser):
         "NOTE: this is automatically switched on in --pod mode.",
     )
 
+    parser.add_argument(
+        "--service-account-token",
+        type=str,
+        metavar="JWT_TOKEN",
+        help="Manually specify the service account jwt token to use for authenticating in the hunting process "
+        "NOTE: This overrides the loading of the pod's bounded authentication when running in --pod mode",
+    )
+
     parser.add_argument(
         "--kubeconfig",
         type=str,

kube_hunter/core/events/types.py

@@ -83,6 +83,12 @@ class Service:
         self.path = path
         self.role = "Node"
 
+        # if a service account token was specified, we load it to the Service class
+        # We load it here because generally all kuberentes services could be authenticated with the token
+        config = get_config()
+        if config.service_account_token:
+            self.auth_token = config.service_account_token
+
     def get_name(self):
         return self.name
 

kube_hunter/modules/discovery/hosts.py

@@ -19,11 +19,17 @@ logger = logging.getLogger(__name__)
 class RunningAsPodEvent(Event):
     def __init__(self):
         self.name = "Running from within a pod"
-        self.auth_token = self.get_service_account_file("token")
         self.client_cert = self.get_service_account_file("ca.crt")
         self.namespace = self.get_service_account_file("namespace")
         self.kubeservicehost = os.environ.get("KUBERNETES_SERVICE_HOST", None)
 
+        # if service account token was manually specified, we don't load the token file
+        config = get_config()
+        if config.service_account_token:
+            self.auth_token = config.service_account_token
+        else:
+            self.auth_token = self.get_service_account_file("token")
+
     # Event's logical location to be used mainly for reports.
     def location(self):
         location = "Local to Pod"