Update KHV005.md (#403 )

Support Python 3.9 (#393 ) (#400 )
Co-authored-by: danielsagi <danielsagi2009@gmail.com>
2026-03-01 09:10:29 +00:00 · 2020-11-08 18:42:41 +02:00 · 2020-11-07 15:59:44 +02:00 · 2020-11-07 15:16:14 +02:00 · 2020-11-07 15:07:39 +02:00 · 2020-11-07 15:01:30 +02:00
16 changed files with 108 additions and 12 deletions
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -0,0 +1,14 @@
+name: Greetings
+
+on: [pull_request, issues]
+
+jobs:
+  greeting:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/first-interaction@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-message: "Hola! @${{ github.actor }} 🥳 , You've just created an Issue!🌟 Thanks for making the Project Better"
+        pr-message: 'Submitted a PR already ?? @${{ github.actor }} . Sit tight until one of our amazing maintainers review it. Make sure you read the contributing guide'
+ 
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,7 @@ var/
 *.egg
 *.spec
 .eggs
+pip-wheel-metadata

 # Directory Cache Files
 .DS_Store
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,6 +5,7 @@ python:
    - "3.6"
    - "3.7"
    - "3.8"
+    - "3.9"
 install:
  - pip install -r requirements.txt
  - pip install -r requirements-dev.txt
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ Table of Contents
      * [Prerequisites](#prerequisites)
   * [Container](#container)
   * [Pod](#pod)
+* [Contribution](#contribution)
         
 ## Hunting

@@ -174,5 +175,8 @@ The example `job.yaml` file defines a Job that will run kube-hunter in a pod, us
 * Find the pod name with `kubectl describe job kube-hunter`
 * View the test results with `kubectl logs <pod name>`

+## Contribution 
+To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md"> Click here </a>
+
 ## License
 This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE).
--- a/docs/_kb/KHV005.md
+++ b/docs/_kb/KHV005.md
@@ -12,7 +12,7 @@ Kubernetes API was accessed with Pod Service Account or without Authentication (

 ## Remediation

-Secure acess to your Kubernetes API.
+Secure access to your Kubernetes API.

 It is recommended to explicitly specify a Service Account for all of your workloads (`serviceAccountName` in `Pod.Spec`), and manage their permissions according to the least privilege principal.

@@ -21,4 +21,4 @@ Consider opting out automatic mounting of SA token using `automountServiceAccoun

 ## References

- [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
+- [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
--- a/kube-hunter-screenshot.png
+++ b/kube-hunter-screenshot.png
--- a/kube-hunter.png
+++ b/kube-hunter.png
--- a/kube_hunter/main.py
+++ b/kube_hunter/main.py
@@ -18,6 +18,7 @@ config = Config(
    cidr=args.cidr,
    include_patched_versions=args.include_patched_versions,
    interface=args.interface,
+    log_file=args.log_file,
    mapping=args.mapping,
    network_timeout=args.network_timeout,
    pod=args.pod,
@@ -25,7 +26,7 @@ config = Config(
    remote=args.remote,
    statistics=args.statistics,
 )
-setup_logger(args.log)
+setup_logger(args.log, args.log_file)
 set_config(config)

 # Running all other registered plugins before execution
--- a/kube_hunter/conf/init.py
+++ b/kube_hunter/conf/init.py
@@ -13,6 +13,7 @@ class Config:
    - interface: Interface scanning mode
    - list_hunters: Print a list of existing hunters
    - log_level: Log level
+    - log_file: Log File path
    - mapping: Report only found components
    - network_timeout: Timeout for network operations
    - pod: From pod scanning mode
@@ -27,6 +28,7 @@ class Config:
    dispatcher: Optional[Any] = None
    include_patched_versions: bool = False
    interface: bool = False
+    log_file: Optional[str] = None
    mapping: bool = False
    network_timeout: float = 5.0
    pod: bool = False
--- a/kube_hunter/conf/logging.py
+++ b/kube_hunter/conf/logging.py
@@ -1,6 +1,5 @@
 import logging

-
 DEFAULT_LEVEL = logging.INFO
 DEFAULT_LEVEL_NAME = logging.getLevelName(DEFAULT_LEVEL)
 LOG_FORMAT = "%(asctime)s %(levelname)s %(name)s %(message)s"
@@ -10,7 +9,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.CRITICAL)
 logging.getLogger("scapy.loading").setLevel(logging.CRITICAL)


-def setup_logger(level_name):
+def setup_logger(level_name, logfile):
    # Remove any existing handlers
    # Unnecessary in Python 3.8 since `logging.basicConfig` has `force` parameter
    for h in logging.getLogger().handlers[:]:
@@ -22,6 +21,9 @@ def setup_logger(level_name):
    else:
        log_level = getattr(logging, level_name.upper(), None)
        log_level = log_level if isinstance(log_level, int) else None
-        logging.basicConfig(level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
+        if logfile is None:
+            logging.basicConfig(level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
+        else:
+            logging.basicConfig(filename=logfile, level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
        if not log_level:
            logging.warning(f"Unknown log level '{level_name}', using {DEFAULT_LEVEL_NAME}")
--- a/kube_hunter/conf/parser.py
+++ b/kube_hunter/conf/parser.py
@@ -56,6 +56,13 @@ def parser_add_arguments(parser):
        help="Set log level, options are: debug, info, warn, none",
    )

+    parser.add_argument(
+        "--log-file",
+        type=str,
+        default=None,
+        help="Path to a log file to output all logs to",
+    )
+
    parser.add_argument(
        "--report",
        type=str,
--- a/kube_hunter/modules/hunting/aks.py
+++ b/kube_hunter/modules/hunting/aks.py
@@ -46,11 +46,16 @@ class AzureSpnHunter(Hunter):
            logger.debug("failed getting pod info")
        else:
            pods_data = r.json().get("items", [])
+            suspicious_volume_names = []
            for pod_data in pods_data:
-                for container in pod_data["spec"]["containers"]:
-                    for mount in container["volumeMounts"]:
-                        path = mount["mountPath"]
+                for volume in pod_data["spec"].get("volumes", []):
+                    if volume.get("hostPath"):
+                        path = volume["hostPath"]["path"]
                        if "/etc/kubernetes/azure.json".startswith(path):
+                            suspicious_volume_names.append(volume["name"])
+                for container in pod_data["spec"]["containers"]:
+                    for mount in container.get("volumeMounts", []):
+                        if mount["name"] in suspicious_volume_names:
                            return {
                                "name": container["name"],
                                "pod": pod_data["metadata"]["name"],
--- a/kube_hunter/modules/report/plain.py
+++ b/kube_hunter/modules/report/plain.py
@@ -9,7 +9,7 @@ from kube_hunter.modules.report.collector import (
    vulnerabilities_lock,
 )

-EVIDENCE_PREVIEW = 40
+EVIDENCE_PREVIEW = 100
 MAX_TABLE_WIDTH = 20
 KB_LINK = "https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb"

--- a/setup.cfg
+++ b/setup.cfg
@@ -22,6 +22,8 @@ classifiers =
    Programming Language :: Python :: 3.6
    Programming Language :: Python :: 3.7
    Programming Language :: Python :: 3.8
+    Programming Language :: Python :: 3.9
+    Programming Language :: Python :: 3 :: Only
    Topic :: Security

 [options]
--- a/tests/conf/test_logging.py
+++ b/tests/conf/test_logging.py
@@ -11,12 +11,13 @@ def test_setup_logger_level():
        ("NOTEXISTS", logging.INFO),
        ("BASIC_FORMAT", logging.INFO),
    ]
+    logFile = None
    for level, expected in test_cases:
-        setup_logger(level)
+        setup_logger(level, logFile)
        actual = logging.getLogger().getEffectiveLevel()
        assert actual == expected, f"{level} level should be {expected} (got {actual})"


 def test_setup_logger_none():
-    setup_logger("NONE")
+    setup_logger("NONE", None)
    assert logging.getLogger().manager.disable == logging.CRITICAL
--- a/tests/hunting/test_aks.py
+++ b/tests/hunting/test_aks.py
@@ -0,0 +1,56 @@
+# flake8: noqa: E402
+import requests_mock
+
+from kube_hunter.conf import Config, set_config
+
+set_config(Config())
+
+from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
+from kube_hunter.modules.hunting.aks import AzureSpnHunter
+
+
+def test_AzureSpnHunter():
+    e = ExposedRunHandler()
+    e.host = "mockKubernetes"
+    e.port = 443
+    e.protocol = "https"
+
+    pod_template = '{{"items":[ {{"apiVersion":"v1","kind":"Pod","metadata":{{"name":"etc","namespace":"default"}},"spec":{{"containers":[{{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{{"mountPath":"/mp","name":"v"}}]}}],"volumes":[{{"hostPath":{{"path":"{}"}},"name":"v"}}]}}}} ]}}'
+
+    bad_paths = ["/", "/etc", "/etc/", "/etc/kubernetes", "/etc/kubernetes/azure.json"]
+    good_paths = ["/yo", "/etc/yo", "/etc/kubernetes/yo.json"]
+
+    for p in bad_paths:
+        with requests_mock.Mocker() as m:
+            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
+            h = AzureSpnHunter(e)
+            c = h.get_key_container()
+            assert c
+
+    for p in good_paths:
+        with requests_mock.Mocker() as m:
+            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
+            h = AzureSpnHunter(e)
+            c = h.get_key_container()
+            assert c == None
+
+    with requests_mock.Mocker() as m:
+        pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_no_volume_mounts)
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c == None
+
+    with requests_mock.Mocker() as m:
+        pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_no_volumes)
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c == None
+
+    with requests_mock.Mocker() as m:
+        pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_other_volume)
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c == None
Author	SHA1	Message	Date
Sinith	a476d9383f	Update KHV005.md (#403 )	2020-11-08 18:42:41 +02:00
Hugo van Kemenade	6a3c7a885a	Support Python 3.9 (#393 ) (#400 ) Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-11-07 15:59:44 +02:00
A N U S H	b6be309651	Added Greeting Github Actions (#382 ) * Added Greeting Github Actions * feat: Updated the Message Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-11-07 15:16:14 +02:00
Monish Singh	0d5b3d57d3	added the link of contribution page (#383 ) * added the link of contribution page users can directly go to the contribution page from here after reading the readme file * added it to the table of contents * Done sorry for my prev. mistake, now its fixed. Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-11-07 15:07:39 +02:00
Milind Chawre	69057acf9b	Adding --log-file option (#329 ) (#387 )	2020-11-07 15:01:30 +02:00
Itay Shakury	e63200139e	fix azure spn hunter (#372 ) * fix azure spn hunter * fix issues * restore tests * code style Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-10-19 13:53:50 +03:00
Itay Shakury	ad4cfe1c11	update gitignore (#371 ) Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-10-19 13:03:46 +03:00
Zoltán Reegn	24b5a709ad	Increase evidence field length in plain report (#385 ) Given that the Description tends to go over 100 characters as well, it seems appropriate to loosen the restriction of the evidence field. Fixes #111 Co-authored-by: danielsagi <danielsagi2009@gmail.com>	2020-10-19 12:49:43 +03:00
Jeff Rescignano	9cadc0ee41	Optimize images (#389 )	2020-10-19 12:27:22 +03:00
danielsagi	3950a1c2f2	Fixed bug in etcd hunting (#364 ) * fixed etcd version hunting typo * changed self.protocol in other places on etcd hunting. this is a typo, protocol is a property of events, not hunters Co-authored-by: Daniel Sagi <daniel@example.com> Co-authored-by: Liz Rice <liz@lizrice.com>	2020-09-04 13:28:03 +01:00