Merge branch 'master' into fix-hunting-bugs

2026-03-01 01:00:25 +00:00 · 2020-09-04 12:15:52 +01:00 · 2020-09-04 12:02:12 +01:00 · 2020-09-04 09:44:14 +01:00 · 2020-08-21 05:46:28 -07:00 · 2020-08-21 05:18:12 -07:00
16 changed files with 12 additions and 108 deletions
--- a/.github/workflows/greetings.yml
+++ b/.github/workflows/greetings.yml
@@ -1,14 +0,0 @@
-name: Greetings
-
-on: [pull_request, issues]
-
-jobs:
-  greeting:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/first-interaction@v1
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        issue-message: "Hola! @${{ github.actor }} 🥳 , You've just created an Issue!🌟 Thanks for making the Project Better"
-        pr-message: 'Submitted a PR already ?? @${{ github.actor }} . Sit tight until one of our amazing maintainers review it. Make sure you read the contributing guide'
- 
--- a/.gitignore
+++ b/.gitignore
@@ -24,7 +24,6 @@ var/
 *.egg
 *.spec
 .eggs
-pip-wheel-metadata

 # Directory Cache Files
 .DS_Store
--- a/.travis.yml
+++ b/.travis.yml
@@ -5,7 +5,6 @@ python:
    - "3.6"
    - "3.7"
    - "3.8"
-    - "3.9"
 install:
  - pip install -r requirements.txt
  - pip install -r requirements-dev.txt
--- a/README.md
+++ b/README.md
@@ -34,7 +34,6 @@ Table of Contents
      * [Prerequisites](#prerequisites)
   * [Container](#container)
   * [Pod](#pod)
-* [Contribution](#contribution)
         
 ## Hunting

@@ -175,8 +174,5 @@ The example `job.yaml` file defines a Job that will run kube-hunter in a pod, us
 * Find the pod name with `kubectl describe job kube-hunter`
 * View the test results with `kubectl logs <pod name>`

-## Contribution 
-To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md"> Click here </a>
-
 ## License
 This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE).
--- a/docs/_kb/KHV005.md
+++ b/docs/_kb/KHV005.md
@@ -12,7 +12,7 @@ Kubernetes API was accessed with Pod Service Account or without Authentication (

 ## Remediation

-Secure access to your Kubernetes API.
+Secure acess to your Kubernetes API.

 It is recommended to explicitly specify a Service Account for all of your workloads (`serviceAccountName` in `Pod.Spec`), and manage their permissions according to the least privilege principal.

@@ -21,4 +21,4 @@ Consider opting out automatic mounting of SA token using `automountServiceAccoun

 ## References

- [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
+- [Configure Service Accounts for Pods](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/)
--- a/kube-hunter-screenshot.png
+++ b/kube-hunter-screenshot.png
--- a/kube-hunter.png
+++ b/kube-hunter.png
--- a/kube_hunter/main.py
+++ b/kube_hunter/main.py
@@ -18,7 +18,6 @@ config = Config(
    cidr=args.cidr,
    include_patched_versions=args.include_patched_versions,
    interface=args.interface,
-    log_file=args.log_file,
    mapping=args.mapping,
    network_timeout=args.network_timeout,
    pod=args.pod,
@@ -26,7 +25,7 @@ config = Config(
    remote=args.remote,
    statistics=args.statistics,
 )
-setup_logger(args.log, args.log_file)
+setup_logger(args.log)
 set_config(config)

 # Running all other registered plugins before execution
--- a/kube_hunter/conf/init.py
+++ b/kube_hunter/conf/init.py
@@ -13,7 +13,6 @@ class Config:
    - interface: Interface scanning mode
    - list_hunters: Print a list of existing hunters
    - log_level: Log level
-    - log_file: Log File path
    - mapping: Report only found components
    - network_timeout: Timeout for network operations
    - pod: From pod scanning mode
@@ -28,7 +27,6 @@ class Config:
    dispatcher: Optional[Any] = None
    include_patched_versions: bool = False
    interface: bool = False
-    log_file: Optional[str] = None
    mapping: bool = False
    network_timeout: float = 5.0
    pod: bool = False
--- a/kube_hunter/conf/logging.py
+++ b/kube_hunter/conf/logging.py
@@ -1,5 +1,6 @@
 import logging

+
 DEFAULT_LEVEL = logging.INFO
 DEFAULT_LEVEL_NAME = logging.getLevelName(DEFAULT_LEVEL)
 LOG_FORMAT = "%(asctime)s %(levelname)s %(name)s %(message)s"
@@ -9,7 +10,7 @@ logging.getLogger("scapy.runtime").setLevel(logging.CRITICAL)
 logging.getLogger("scapy.loading").setLevel(logging.CRITICAL)


-def setup_logger(level_name, logfile):
+def setup_logger(level_name):
    # Remove any existing handlers
    # Unnecessary in Python 3.8 since `logging.basicConfig` has `force` parameter
    for h in logging.getLogger().handlers[:]:
@@ -21,9 +22,6 @@ def setup_logger(level_name, logfile):
    else:
        log_level = getattr(logging, level_name.upper(), None)
        log_level = log_level if isinstance(log_level, int) else None
-        if logfile is None:
-            logging.basicConfig(level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
-        else:
-            logging.basicConfig(filename=logfile, level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
+        logging.basicConfig(level=log_level or DEFAULT_LEVEL, format=LOG_FORMAT)
        if not log_level:
            logging.warning(f"Unknown log level '{level_name}', using {DEFAULT_LEVEL_NAME}")
--- a/kube_hunter/conf/parser.py
+++ b/kube_hunter/conf/parser.py
@@ -56,13 +56,6 @@ def parser_add_arguments(parser):
        help="Set log level, options are: debug, info, warn, none",
    )

-    parser.add_argument(
-        "--log-file",
-        type=str,
-        default=None,
-        help="Path to a log file to output all logs to",
-    )
-
    parser.add_argument(
        "--report",
        type=str,
--- a/kube_hunter/modules/hunting/aks.py
+++ b/kube_hunter/modules/hunting/aks.py
@@ -46,16 +46,11 @@ class AzureSpnHunter(Hunter):
            logger.debug("failed getting pod info")
        else:
            pods_data = r.json().get("items", [])
-            suspicious_volume_names = []
            for pod_data in pods_data:
-                for volume in pod_data["spec"].get("volumes", []):
-                    if volume.get("hostPath"):
-                        path = volume["hostPath"]["path"]
-                        if "/etc/kubernetes/azure.json".startswith(path):
-                            suspicious_volume_names.append(volume["name"])
                for container in pod_data["spec"]["containers"]:
-                    for mount in container.get("volumeMounts", []):
-                        if mount["name"] in suspicious_volume_names:
+                    for mount in container["volumeMounts"]:
+                        path = mount["mountPath"]
+                        if "/etc/kubernetes/azure.json".startswith(path):
                            return {
                                "name": container["name"],
                                "pod": pod_data["metadata"]["name"],
--- a/kube_hunter/modules/report/plain.py
+++ b/kube_hunter/modules/report/plain.py
@@ -9,7 +9,7 @@ from kube_hunter.modules.report.collector import (
    vulnerabilities_lock,
 )

-EVIDENCE_PREVIEW = 100
+EVIDENCE_PREVIEW = 40
 MAX_TABLE_WIDTH = 20
 KB_LINK = "https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb"

--- a/setup.cfg
+++ b/setup.cfg
@@ -22,8 +22,6 @@ classifiers =
    Programming Language :: Python :: 3.6
    Programming Language :: Python :: 3.7
    Programming Language :: Python :: 3.8
-    Programming Language :: Python :: 3.9
-    Programming Language :: Python :: 3 :: Only
    Topic :: Security

 [options]
--- a/tests/conf/test_logging.py
+++ b/tests/conf/test_logging.py
@@ -11,13 +11,12 @@ def test_setup_logger_level():
        ("NOTEXISTS", logging.INFO),
        ("BASIC_FORMAT", logging.INFO),
    ]
-    logFile = None
    for level, expected in test_cases:
-        setup_logger(level, logFile)
+        setup_logger(level)
        actual = logging.getLogger().getEffectiveLevel()
        assert actual == expected, f"{level} level should be {expected} (got {actual})"


 def test_setup_logger_none():
-    setup_logger("NONE", None)
+    setup_logger("NONE")
    assert logging.getLogger().manager.disable == logging.CRITICAL
--- a/tests/hunting/test_aks.py
+++ b/tests/hunting/test_aks.py
@@ -1,56 +0,0 @@
-# flake8: noqa: E402
-import requests_mock
-
-from kube_hunter.conf import Config, set_config
-
-set_config(Config())
-
-from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
-from kube_hunter.modules.hunting.aks import AzureSpnHunter
-
-
-def test_AzureSpnHunter():
-    e = ExposedRunHandler()
-    e.host = "mockKubernetes"
-    e.port = 443
-    e.protocol = "https"
-
-    pod_template = '{{"items":[ {{"apiVersion":"v1","kind":"Pod","metadata":{{"name":"etc","namespace":"default"}},"spec":{{"containers":[{{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{{"mountPath":"/mp","name":"v"}}]}}],"volumes":[{{"hostPath":{{"path":"{}"}},"name":"v"}}]}}}} ]}}'
-
-    bad_paths = ["/", "/etc", "/etc/", "/etc/kubernetes", "/etc/kubernetes/azure.json"]
-    good_paths = ["/yo", "/etc/yo", "/etc/kubernetes/yo.json"]
-
-    for p in bad_paths:
-        with requests_mock.Mocker() as m:
-            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
-            h = AzureSpnHunter(e)
-            c = h.get_key_container()
-            assert c
-
-    for p in good_paths:
-        with requests_mock.Mocker() as m:
-            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
-            h = AzureSpnHunter(e)
-            c = h.get_key_container()
-            assert c == None
-
-    with requests_mock.Mocker() as m:
-        pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_no_volume_mounts)
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c == None
-
-    with requests_mock.Mocker() as m:
-        pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_no_volumes)
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c == None
-
-    with requests_mock.Mocker() as m:
-        pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_other_volume)
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c == None
Author	SHA1	Message	Date
Liz Rice	16103bfbcf	Merge branch 'master' into fix-hunting-bugs	2020-09-04 12:15:52 +01:00
Liz Rice	129ac8d0eb	Merge branch 'master' into fix-hunting-bugs	2020-09-04 12:02:12 +01:00
Liz Rice	19c00e9ee2	Merge branch 'master' into fix-hunting-bugs	2020-09-04 09:44:14 +01:00
Daniel Sagi	ab40d90b13	changed self.protocol in other places on etcd hunting. this is a typo, protocol is a property of events, not hunters	2020-08-21 05:46:28 -07:00
Daniel Sagi	45a92a9577	fixed etcd version hunting typo	2020-08-21 05:18:12 -07:00