Merge branch 'master' into fix_audit_log_proving

Added docs for exposed pods (#407 )
* added doc _kb for exposed pods * correlated the new khv to the Exposed pods vulnerability * fixed linting
2026-03-01 01:00:25 +00:00 · 2020-11-17 19:42:26 +02:00 · 2020-11-17 15:22:06 +02:00 · 2020-11-15 17:27:28 +02:00 · 2020-11-15 15:25:45 +02:00
2 changed files with 37 additions and 12 deletions
--- a/docs/_kb/KHV052.md
+++ b/docs/_kb/KHV052.md
@@ -0,0 +1,23 @@
+---
+vid: KHV052
+title: Exposed Pods
+categories: [Information Disclosure]
+---
+
+# {{ page.vid }} - {{ page.title }}
+
+## Issue description
+
+An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint
+This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
+
+## Remediation
+
+Ensure kubelet is protected using `--anonymous-auth=false` kubelet flag. Allow only legitimate users using `--client-ca-file` or `--authentication-token-webhook` kubelet flags. This is usually done by the installer or cloud provider.
+
+Disable the readonly port by using `--read-only-port=0` kubelet flag.
+
+## References
+
+- [Kubelet configuration](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)
+- [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)
--- a/kube_hunter/modules/hunting/kubelet.py
+++ b/kube_hunter/modules/hunting/kubelet.py
@@ -35,10 +35,7 @@ class ExposedPodsHandler(Vulnerability, Event):

    def __init__(self, pods):
        Vulnerability.__init__(
-            self,
-            component=Kubelet,
-            name="Exposed Pods",
-            category=InformationDisclosure,
+            self, component=Kubelet, name="Exposed Pods", category=InformationDisclosure, vid="KHV052"
        )
        self.pods = pods
        self.evidence = f"count: {len(self.pods)}"
@@ -1139,11 +1136,16 @@ class ProveSystemLogs(ActiveHunter):
            f"{self.base_url}/" + KubeletHandlers.LOGS.value.format(path="audit/audit.log"),
            verify=False,
            timeout=config.network_timeout,
-        ).text
-        logger.debug(f"Audit log of host {self.event.host}: {audit_logs[:10]}")
-        # iterating over proctitles and converting them into readable strings
-        proctitles = []
-        for proctitle in re.findall(r"proctitle=(\w+)", audit_logs):
-            proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
-        self.event.proctitles = proctitles
-        self.event.evidence = f"audit log: {proctitles}"
+        )
+
+        # TODO: add more methods for proving system logs
+        if audit_logs.status_code == requests.status_codes.codes.OK:
+            logger.debug(f"Audit log of host {self.event.host}: {audit_logs.text[:10]}")
+            # iterating over proctitles and converting them into readable strings
+            proctitles = []
+            for proctitle in re.findall(r"proctitle=(\w+)", audit_logs.text):
+                proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
+            self.event.proctitles = proctitles
+            self.event.evidence = f"audit log: {proctitles}"
+        else:
+            self.event.evidence = "Could not parse system logs"
Author	SHA1	Message	Date
danielsagi	e8c9ebbfe1	Merge branch 'master' into fix_audit_log_proving	2020-11-17 19:42:26 +02:00
danielsagi	bf7023d01c	Added docs for exposed pods (#407 ) * added doc _kb for exposed pods * correlated the new khv to the Exposed pods vulnerability * fixed linting	2020-11-17 15:22:06 +02:00
Daniel Sagi	0c0ab6172f	fixed linting	2020-11-15 17:27:28 +02:00
Daniel Sagi	afe0cff6ed	fixed wrong message for when proving audit logs	2020-11-15 15:25:45 +02:00