added pypi publish workflow (#450)

Signed-off-by: Simarpreet Singh <simar@linux.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,7 +7,7 @@
 Please include a summary of the change and which issue is fixed. Also include relevant motivation and context. List any dependencies that are required for this change.
 
 ## Contribution Guidelines
-Please Read through the [Contribution Guidelines](https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md).
+Please Read through the [Contribution Guidelines](https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md).
 
 ## Fixed Issues
 

.github/workflows/greetings.yml

@@ -1,14 +0,0 @@
-name: Greetings
-
-on: [pull_request, issues]
-
-jobs:
-  greeting:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/first-interaction@v1
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        issue-message: "Hola! @${{ github.actor }} 🥳 , You've just created an Issue!🌟 Thanks for making the Project Better"
-        pr-message: 'Submitted a PR already ?? @${{ github.actor }} . Sit tight until one of our amazing maintainers review it. Make sure you read the contributing guide'
- 

.github/workflows/lint.yml

@@ -0,0 +1,14 @@
+---
+name: Lint
+
+on: [push, pull_request]
+
+jobs:
+  build:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+      - uses: pre-commit/action@v2.0.0
+      - uses: ibiqlik/action-yamllint@v3

.github/workflows/publish.yml

@@ -0,0 +1,94 @@
+---
+name: Publish
+on:
+  push:
+    tags:
+      - "v*"
+env:
+  ALIAS: aquasecurity
+  REP: kube-hunter
+jobs:
+  dockerhub:
+    name: Publish To Docker Hub
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Check Out Repo
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildxarch-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildxarch-
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to ECR
+        uses: docker/login-action@v1
+        with:
+          registry: public.ecr.aws
+          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
+          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
+      - name: Get version
+        id: get_version
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: ${{ env.REP }}
+          tag-semver: |
+            {{version}}
+
+      - name: Build and push - Docker/ECR
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64
+          builder: ${{ steps.buildx.outputs.name }}
+          push: true
+          tags: |
+            ${{ secrets.DOCKERHUB_USER }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
+            public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
+            ${{ secrets.DOCKERHUB_USER }}/${{ env.REP }}:latest
+            public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:latest
+          cache-from: type=local,src=/tmp/.buildx-cache/release
+          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}
+
+  pypi:
+    name: Publish To PyPI
+    runs-on: ubuntu-18.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install -U pip
+          python -m pip install -r requirements-dev.txt
+
+      - name: Build project
+        shell: bash
+        run: |
+          python -m pip install wheel
+          make build
+
+      - name: Publish distribution package to PyPI
+        if: startsWith(github.ref, 'refs/tags')
+        uses: pypa/gh-action-pypi-publish@master
+        with:
+          password: ${{ secrets.PYPI_API_TOKEN }}

.github/workflows/release.yml

@@ -0,0 +1,53 @@
+---
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - 'v*'  # Push events to matching v*, i.e. v1.0, v20.15.10
+
+name: Release
+
+jobs:
+  build:
+    name: Upload Release Asset
+    runs-on: ubuntu-16.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.9'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install -U pip
+          python -m pip install -r requirements-dev.txt
+
+      - name: Build project
+        shell: bash
+        run: |
+          make pyinstaller
+
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: ${{ github.ref }}
+          draft: false
+          prerelease: false
+
+      - name: Upload Release Asset
+        id: upload-release-asset
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/kube-hunter
+          asset_name: kube-hunter-linux-x86_64-${{ github.ref }}
+          asset_content_type: application/octet-stream

.github/workflows/test.yml

@@ -0,0 +1,55 @@
+---
+name: Test
+
+on: [push, pull_request]
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  build:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.6", "3.7", "3.8", "3.9"]
+        os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04]
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Get pip cache dir
+        id: pip-cache
+        run: |
+          echo "::set-output name=dir::$(pip cache dir)"
+
+      - name: Cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.pip-cache.outputs.dir }}
+          key:
+            ${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
+          restore-keys: |
+            ${{ matrix.os }}-${{ matrix.python-version }}-
+
+      - name: Install dependencies
+        run: |
+          python -m pip install -U pip
+          python -m pip install -U wheel
+          python -m pip install -r requirements.txt
+          python -m pip install -r requirements-dev.txt
+
+      - name: Test
+        shell: bash
+        run: |
+          make test
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v1
+        with:
+          name: ${{ matrix.os }} Python ${{ matrix.python-version }}

.pre-commit-config.yaml

@@ -1,10 +1,11 @@
+---
 repos:
-- repo: https://github.com/psf/black
-  rev: stable
-  hooks:
-  - id: black
-- repo: https://gitlab.com/pycqa/flake8
-  rev: 3.7.9
-  hooks:
-    - id: flake8
-      additional_dependencies: [flake8-bugbear]
+  - repo: https://github.com/psf/black
+    rev: stable
+    hooks:
+      - id: black
+  - repo: https://gitlab.com/pycqa/flake8
+    rev: 3.7.9
+    hooks:
+      - id: flake8
+        additional_dependencies: [flake8-bugbear]

.travis.yml

@@ -1,21 +0,0 @@
-group: travis_latest
-language: python
-cache: pip
-python:
-    - "3.6"
-    - "3.7"
-    - "3.8"
-    - "3.9"
-install:
-  - pip install -r requirements.txt
-  - pip install -r requirements-dev.txt
-before_script:
-  - make lint-check
-script:
-  - make test
-after_success:
-  -  bash <(curl -s https://codecov.io/bash)
-notifications:
-  email:
-    on_success: change
-    on_failure: always

.yamllint

@@ -0,0 +1,6 @@
+---
+extends: default
+
+rules:
+  line-length: disable
+  truthy: disable

README.md

@@ -1,12 +1,18 @@
-![kube-hunter](https://github.com/aquasecurity/kube-hunter/blob/master/kube-hunter.png)
+![kube-hunter](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter.png)
 
-[![Build Status](https://travis-ci.org/aquasecurity/kube-hunter.svg?branch=master)](https://travis-ci.org/aquasecurity/kube-hunter)
-[![codecov](https://codecov.io/gh/aquasecurity/kube-hunter/branch/master/graph/badge.svg)](https://codecov.io/gh/aquasecurity/kube-hunter)
+[![GitHub Release][release-img]][release]
+![Downloads][download]
+![Docker Pulls][docker-pull]
+[![Build Status](https://github.com/aquasecurity/kube-hunter/workflows/Test/badge.svg)](https://github.com/aquasecurity/kube-hunter/actions)
+[![codecov](https://codecov.io/gh/aquasecurity/kube-hunter/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/kube-hunter)
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
-[![License](https://img.shields.io/github/license/aquasecurity/kube-hunter)](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE)
+[![License](https://img.shields.io/github/license/aquasecurity/kube-hunter)](https://github.com/aquasecurity/kube-hunter/blob/main/LICENSE)
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-hunter.svg)](https://microbadger.com/images/aquasec/kube-hunter "Get your own image badge on microbadger.com")
 
-
+[download]: https://img.shields.io/github/downloads/aquasecurity/kube-hunter/total?logo=github
+[release-img]: https://img.shields.io/github/release/aquasecurity/kube-hunter.svg?logo=github
+[release]: https://github.com/aquasecurity/kube-hunter/releases
+[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-hunter?logo=docker&label=docker%20pulls%20%2F%20kube-hunter
 
 kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. **You should NOT run kube-hunter on a Kubernetes cluster that you don't own!**
 
@@ -14,9 +20,9 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
 
 **Explore vulnerabilities**: The kube-hunter knowledge base includes articles about discoverable vulnerabilities and issues. When kube-hunter reports an issue, it will show its VID (Vulnerability ID) so you can look it up in the KB at https://aquasecurity.github.io/kube-hunter/
 
-**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md).
+**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md).
 
-[![kube-hunter demo video](https://github.com/aquasecurity/kube-hunter/blob/master/kube-hunter-screenshot.png)](https://youtu.be/s2-6rTkH8a8?t=57s)
+[![kube-hunter demo video](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter-screenshot.png)](https://youtu.be/s2-6rTkH8a8?t=57s)
 
 Table of Contents
 =================
@@ -29,6 +35,7 @@ Table of Contents
    * [Nodes Mapping](#nodes-mapping)
    * [Output](#output)
    * [Dispatching](#dispatching)
+   * [Advanced Usage](#advanced-usage)
 * [Deployment](#deployment)
    * [On Machine](#on-machine)
       * [Prerequisites](#prerequisites)
@@ -108,6 +115,11 @@ Available dispatch methods are:
     * KUBEHUNTER_HTTP_DISPATCH_URL (defaults to: https://localhost)
     * KUBEHUNTER_HTTP_DISPATCH_METHOD (defaults to: POST)
 
+### Advanced Usage 
+#### Azure Quick Scanning 
+When running **as a Pod in an Azure or AWS environment**, kube-hunter will fetch subnets from the Instance Metadata Service. Naturally this makes the discovery process take longer.
+To hardlimit subnet scanning to a `/24` CIDR, use the `--quick` option. 
+
 ## Deployment
 There are three methods for deploying kube-hunter:
 
@@ -176,7 +188,7 @@ The example `job.yaml` file defines a Job that will run kube-hunter in a pod, us
 * View the test results with `kubectl logs <pod name>`
 
 ## Contribution 
-To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md"> Click here </a>
+To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md"> Click here </a>
 
 ## License
-This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE).
+This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/main/LICENSE).

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+| Version   | Supported          |
+| --------- | ------------------ |
+| 0.4.x | :white_check_mark: |
+| 0.3.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+We encourage you to find vulnerabilities in kube-hunter.
+The process is simple, just report a Bug issue. and we will take a look at this.
+If you prefer to disclose privately, you can write to one of the security maintainers at:
+
+| Name        | Email              |
+| ----------- | ------------------ |
+| Daniel Sagi | daniel.sagi@aquasec.com |

docs/Gemfile.lock

@@ -1,11 +1,12 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (4.2.11.1)
-      i18n (~> 0.7)
+    activesupport (6.0.3.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
       minitest (~> 5.1)
-      thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
+      zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     coffee-script (2.4.1)
@@ -15,65 +16,67 @@ GEM
     colorator (1.1.0)
     commonmarker (0.17.13)
       ruby-enum (~> 0.5)
-    concurrent-ruby (1.1.5)
-    dnsruby (1.61.3)
-      addressable (~> 2.5)
-    em-websocket (0.5.1)
+    concurrent-ruby (1.1.7)
+    dnsruby (1.61.5)
+      simpleidn (~> 0.1)
+    em-websocket (0.5.2)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0.6.0)
     ethon (0.12.0)
       ffi (>= 1.3.0)
     eventmachine (1.2.7)
     execjs (2.7.0)
-    faraday (0.17.0)
+    faraday (1.3.0)
+      faraday-net_http (~> 1.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.11.1)
+      ruby2_keywords
+    faraday-net_http (1.0.1)
+    ffi (1.14.2)
     forwardable-extended (2.6.0)
     gemoji (3.0.1)
-    github-pages (201)
-      activesupport (= 4.2.11.1)
+    github-pages (209)
       github-pages-health-check (= 1.16.1)
-      jekyll (= 3.8.5)
-      jekyll-avatar (= 0.6.0)
+      jekyll (= 3.9.0)
+      jekyll-avatar (= 0.7.0)
       jekyll-coffeescript (= 1.1.1)
       jekyll-commonmark-ghpages (= 0.1.6)
       jekyll-default-layout (= 0.1.4)
-      jekyll-feed (= 0.11.0)
+      jekyll-feed (= 0.15.1)
       jekyll-gist (= 1.5.0)
-      jekyll-github-metadata (= 2.12.1)
-      jekyll-mentions (= 1.4.1)
-      jekyll-optional-front-matter (= 0.3.0)
+      jekyll-github-metadata (= 2.13.0)
+      jekyll-mentions (= 1.6.0)
+      jekyll-optional-front-matter (= 0.3.2)
       jekyll-paginate (= 1.1.0)
-      jekyll-readme-index (= 0.2.0)
-      jekyll-redirect-from (= 0.14.0)
-      jekyll-relative-links (= 0.6.0)
-      jekyll-remote-theme (= 0.4.0)
+      jekyll-readme-index (= 0.3.0)
+      jekyll-redirect-from (= 0.16.0)
+      jekyll-relative-links (= 0.6.1)
+      jekyll-remote-theme (= 0.4.2)
       jekyll-sass-converter (= 1.5.2)
-      jekyll-seo-tag (= 2.5.0)
-      jekyll-sitemap (= 1.2.0)
-      jekyll-swiss (= 0.4.0)
+      jekyll-seo-tag (= 2.6.1)
+      jekyll-sitemap (= 1.4.0)
+      jekyll-swiss (= 1.0.0)
       jekyll-theme-architect (= 0.1.1)
       jekyll-theme-cayman (= 0.1.1)
       jekyll-theme-dinky (= 0.1.1)
-      jekyll-theme-hacker (= 0.1.1)
+      jekyll-theme-hacker (= 0.1.2)
       jekyll-theme-leap-day (= 0.1.1)
       jekyll-theme-merlot (= 0.1.1)
       jekyll-theme-midnight (= 0.1.1)
       jekyll-theme-minimal (= 0.1.1)
       jekyll-theme-modernist (= 0.1.1)
-      jekyll-theme-primer (= 0.5.3)
+      jekyll-theme-primer (= 0.5.4)
       jekyll-theme-slate (= 0.1.1)
       jekyll-theme-tactile (= 0.1.1)
       jekyll-theme-time-machine (= 0.1.1)
-      jekyll-titles-from-headings (= 0.5.1)
-      jemoji (= 0.10.2)
-      kramdown (= 1.17.0)
-      liquid (= 4.0.0)
-      listen (= 3.1.5)
+      jekyll-titles-from-headings (= 0.5.3)
+      jemoji (= 0.12.0)
+      kramdown (= 2.3.0)
+      kramdown-parser-gfm (= 1.1.0)
+      liquid (= 4.0.3)
       mercenary (~> 0.3)
-      minima (= 2.5.0)
+      minima (= 2.5.1)
       nokogiri (>= 1.10.4, < 2.0)
-      rouge (= 3.11.0)
+      rouge (= 3.23.0)
       terminal-table (~> 1.4)
     github-pages-health-check (1.16.1)
       addressable (~> 2.3)
@@ -81,27 +84,27 @@ GEM
       octokit (~> 4.0)
       public_suffix (~> 3.0)
       typhoeus (~> 1.3)
-    html-pipeline (2.12.0)
+    html-pipeline (2.14.0)
       activesupport (>= 2)
       nokogiri (>= 1.4)
     http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
-    jekyll (3.8.5)
+    jekyll (3.9.0)
       addressable (~> 2.4)
       colorator (~> 1.0)
       em-websocket (~> 0.5)
       i18n (~> 0.7)
       jekyll-sass-converter (~> 1.0)
       jekyll-watch (~> 2.0)
-      kramdown (~> 1.14)
+      kramdown (>= 1.17, < 3)
       liquid (~> 4.0)
       mercenary (~> 0.3.3)
       pathutil (~> 0.9)
       rouge (>= 1.7, < 4)
       safe_yaml (~> 1.0)
-    jekyll-avatar (0.6.0)
-      jekyll (~> 3.0)
+    jekyll-avatar (0.7.0)
+      jekyll (>= 3.0, < 5.0)
     jekyll-coffeescript (1.1.1)
       coffee-script (~> 2.2)
       coffee-script-source (~> 1.11.1)
@@ -114,36 +117,37 @@ GEM
       rouge (>= 2.0, < 4.0)
     jekyll-default-layout (0.1.4)
       jekyll (~> 3.0)
-    jekyll-feed (0.11.0)
-      jekyll (~> 3.3)
+    jekyll-feed (0.15.1)
+      jekyll (>= 3.7, < 5.0)
     jekyll-gist (1.5.0)
       octokit (~> 4.2)
-    jekyll-github-metadata (2.12.1)
-      jekyll (~> 3.4)
+    jekyll-github-metadata (2.13.0)
+      jekyll (>= 3.4, < 5.0)
       octokit (~> 4.0, != 4.4.0)
-    jekyll-mentions (1.4.1)
+    jekyll-mentions (1.6.0)
       html-pipeline (~> 2.3)
-      jekyll (~> 3.0)
-    jekyll-optional-front-matter (0.3.0)
-      jekyll (~> 3.0)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-optional-front-matter (0.3.2)
+      jekyll (>= 3.0, < 5.0)
     jekyll-paginate (1.1.0)
-    jekyll-readme-index (0.2.0)
-      jekyll (~> 3.0)
-    jekyll-redirect-from (0.14.0)
-      jekyll (~> 3.3)
-    jekyll-relative-links (0.6.0)
-      jekyll (~> 3.3)
-    jekyll-remote-theme (0.4.0)
+    jekyll-readme-index (0.3.0)
+      jekyll (>= 3.0, < 5.0)
+    jekyll-redirect-from (0.16.0)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-relative-links (0.6.1)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-remote-theme (0.4.2)
       addressable (~> 2.0)
-      jekyll (~> 3.5)
-      rubyzip (>= 1.2.1, < 3.0)
+      jekyll (>= 3.5, < 5.0)
+      jekyll-sass-converter (>= 1.0, <= 3.0.0, != 2.0.0)
+      rubyzip (>= 1.3.0, < 3.0)
     jekyll-sass-converter (1.5.2)
       sass (~> 3.4)
-    jekyll-seo-tag (2.5.0)
-      jekyll (~> 3.3)
-    jekyll-sitemap (1.2.0)
-      jekyll (~> 3.3)
-    jekyll-swiss (0.4.0)
+    jekyll-seo-tag (2.6.1)
+      jekyll (>= 3.3, < 5.0)
+    jekyll-sitemap (1.4.0)
+      jekyll (>= 3.7, < 5.0)
+    jekyll-swiss (1.0.0)
     jekyll-theme-architect (0.1.1)
       jekyll (~> 3.5)
       jekyll-seo-tag (~> 2.0)
@@ -153,8 +157,8 @@ GEM
     jekyll-theme-dinky (0.1.1)
       jekyll (~> 3.5)
       jekyll-seo-tag (~> 2.0)
-    jekyll-theme-hacker (0.1.1)
-      jekyll (~> 3.5)
+    jekyll-theme-hacker (0.1.2)
+      jekyll (> 3.5, < 5.0)
       jekyll-seo-tag (~> 2.0)
     jekyll-theme-leap-day (0.1.1)
       jekyll (~> 3.5)
@@ -171,8 +175,8 @@ GEM
     jekyll-theme-modernist (0.1.1)
       jekyll (~> 3.5)
       jekyll-seo-tag (~> 2.0)
-    jekyll-theme-primer (0.5.3)
-      jekyll (~> 3.5)
+    jekyll-theme-primer (0.5.4)
+      jekyll (> 3.5, < 5.0)
       jekyll-github-metadata (~> 2.9)
       jekyll-seo-tag (~> 2.0)
     jekyll-theme-slate (0.1.1)
@@ -184,43 +188,49 @@ GEM
     jekyll-theme-time-machine (0.1.1)
       jekyll (~> 3.5)
       jekyll-seo-tag (~> 2.0)
-    jekyll-titles-from-headings (0.5.1)
-      jekyll (~> 3.3)
+    jekyll-titles-from-headings (0.5.3)
+      jekyll (>= 3.3, < 5.0)
     jekyll-watch (2.2.1)
       listen (~> 3.0)
-    jemoji (0.10.2)
+    jemoji (0.12.0)
       gemoji (~> 3.0)
       html-pipeline (~> 2.2)
-      jekyll (~> 3.0)
-    kramdown (1.17.0)
-    liquid (4.0.0)
-    listen (3.1.5)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-      ruby_dep (~> 1.2)
+      jekyll (>= 3.0, < 5.0)
+    kramdown (2.3.0)
+      rexml
+    kramdown-parser-gfm (1.1.0)
+      kramdown (~> 2.0)
+    liquid (4.0.3)
+    listen (3.4.0)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
     mercenary (0.3.6)
-    mini_portile2 (2.4.0)
-    minima (2.5.0)
-      jekyll (~> 3.5)
+    mini_portile2 (2.5.0)
+    minima (2.5.1)
+      jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
-    minitest (5.12.2)
+    minitest (5.14.3)
     multipart-post (2.1.1)
-    nokogiri (1.10.8)
-      mini_portile2 (~> 2.4.0)
-    octokit (4.14.0)
+    nokogiri (1.11.1)
+      mini_portile2 (~> 2.5.0)
+      racc (~> 1.4)
+    octokit (4.20.0)
+      faraday (>= 0.9)
       sawyer (~> 0.8.0, >= 0.5.3)
     pathutil (0.16.2)
       forwardable-extended (~> 2.6)
     public_suffix (3.1.1)
-    rb-fsevent (0.10.3)
-    rb-inotify (0.10.0)
+    racc (1.5.2)
+    rb-fsevent (0.10.4)
+    rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rouge (3.11.0)
-    ruby-enum (0.7.2)
+    rexml (3.2.4)
+    rouge (3.23.0)
+    ruby-enum (0.8.0)
       i18n
-    ruby_dep (1.5.0)
-    rubyzip (2.0.0)
+    ruby2_keywords (0.0.2)
+    rubyzip (2.3.0)
     safe_yaml (1.0.5)
     sass (3.7.4)
       sass-listen (~> 4.0.0)
@@ -230,14 +240,20 @@ GEM
     sawyer (0.8.2)
       addressable (>= 2.3.5)
       faraday (> 0.8, < 2.0)
+    simpleidn (0.1.1)
+      unf (~> 0.1.4)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thread_safe (0.3.6)
-    typhoeus (1.3.1)
+    typhoeus (1.4.0)
       ethon (>= 0.9.0)
-    tzinfo (1.2.5)
+    tzinfo (1.2.9)
       thread_safe (~> 0.1)
-    unicode-display_width (1.6.0)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.7.7)
+    unicode-display_width (1.7.0)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby
@@ -247,4 +263,4 @@ DEPENDENCIES
   jekyll-sitemap
 
 BUNDLED WITH
-   1.17.2
+   2.2.5

docs/_config.yml

@@ -1,6 +1,7 @@
+---
 title: kube-hunter
 description: Kube-hunter hunts for security weaknesses in Kubernetes clusters
-logo: https://raw.githubusercontent.com/aquasecurity/kube-hunter/master/kube-hunter.png
+logo: https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/kube-hunter.png
 show_downloads: false
 google_analytics: UA-63272154-1
 theme: jekyll-theme-minimal
@@ -10,7 +11,7 @@ collections:
 defaults:
   -
     scope:
-      path: "" # an empty string here means all files in the project
+      path: ""  # an empty string here means all files in the project
     values:
       layout: "default"
 

docs/_kb/KHV003.md

@@ -12,7 +12,10 @@ Microsoft Azure provides an internal HTTP endpoint that exposes information from
 
 ## Remediation
 
-Consider using AAD Pod Identity. A Microsoft project that allows scoping the identity of workloads to Kubernetes Pods instead of VMs (instances).
+Starting in the 2020.10.15 Azure VHD Release, AKS restricts the pod CIDR access to that internal HTTP endpoint. 
+
+[CVE-2021-27075](https://github.com/Azure/AKS/issues/2168)
+
 
 ## References
 

docs/_kb/KHV052.md

@@ -0,0 +1,23 @@
+---
+vid: KHV052
+title: Exposed Pods
+categories: [Information Disclosure]
+---
+
+# {{ page.vid }} - {{ page.title }}
+
+## Issue description
+
+An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint
+This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
+
+## Remediation
+
+Ensure kubelet is protected using `--anonymous-auth=false` kubelet flag. Allow only legitimate users using `--client-ca-file` or `--authentication-token-webhook` kubelet flags. This is usually done by the installer or cloud provider.
+
+Disable the readonly port by using `--read-only-port=0` kubelet flag.
+
+## References
+
+- [Kubelet configuration](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)
+- [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)

docs/_kb/KHV053.md

@@ -0,0 +1,24 @@
+---
+vid: KHV053
+title: AWS Metadata Exposure
+categories: [Information Disclosure]
+---
+
+# {{ page.vid }} - {{ page.title }}
+
+## Issue description
+
+AWS EC2 provides an internal HTTP endpoint that exposes information from the cloud platform to workloads running in an instance. The endpoint is accessible to every workload running in the instance. An attacker that is able to execute a pod in the cluster may be able to query the metadata service and discover additional information about the environment.
+
+## Remediation
+
+* Limit access to the instance metadata service. Consider using a local firewall such as `iptables` to disable access from some or all processes/users to the instance metadata service.
+
+* Disable the metadata service (via instance metadata options or IAM), or at a minimum enforce the use IMDSv2 on an instance to require token-based access to the service.
+
+* Modify the HTTP PUT response hop limit on the instance to 1. This will only allow access to the service from the instance itself rather than from within a pod.
+
+## References
+
+- [AWS Instance Metadata service](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html)
+- [EC2 Instance Profiles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)

job.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -6,9 +7,9 @@ spec:
   template:
     spec:
       containers:
-      - name: kube-hunter
-        image: aquasec/kube-hunter 
-        command: ["kube-hunter"]
-        args: ["--pod"]
+        - name: kube-hunter
+          image: aquasec/kube-hunter
+          command: ["kube-hunter"]
+          args: ["--pod"]
       restartPolicy: Never
   backoffLimit: 4

kube_hunter/__main__.py

@@ -73,13 +73,13 @@ def list_hunters():
     print("\nPassive Hunters:\n----------------")
     for hunter, docs in handler.passive_hunters.items():
         name, doc = hunter.parse_docs(docs)
-        print("* {}\n  {}\n".format(name, doc))
+        print(f"* {name}\n  {doc}\n")
 
     if config.active:
         print("\n\nActive Hunters:\n---------------")
         for hunter, docs in handler.active_hunters.items():
             name, doc = hunter.parse_docs(docs)
-            print("* {}\n  {}\n".format(name, doc))
+            print(f"* {name}\n  {doc}\n")
 
 
 hunt_started_lock = threading.Lock()

kube_hunter/core/events/handler.py

@@ -14,7 +14,7 @@ logger = logging.getLogger(__name__)
 # Inherits Queue object, handles events asynchronously
 class EventQueue(Queue):
     def __init__(self, num_worker=10):
-        super(EventQueue, self).__init__()
+        super().__init__()
         self.passive_hunters = dict()
         self.active_hunters = dict()
         self.all_hunters = dict()

kube_hunter/core/types.py

@@ -50,6 +50,12 @@ class Kubelet(KubernetesCluster):
     name = "Kubelet"
 
 
+class AWS(KubernetesCluster):
+    """AWS Cluster"""
+
+    name = "AWS"
+
+
 class Azure(KubernetesCluster):
     """Azure Cluster"""
 

kube_hunter/modules/discovery/hosts.py

@@ -5,13 +5,12 @@ import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces
-from scapy.all import ICMP, IP, Ether, srp1
+from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Event, NewHostEvent, Vulnerability
-from kube_hunter.core.types import Discovery, InformationDisclosure, Azure
+from kube_hunter.core.types import Discovery, InformationDisclosure, AWS, Azure
 
 logger = logging.getLogger(__name__)
 
@@ -37,10 +36,25 @@ class RunningAsPodEvent(Event):
         try:
             with open(f"/var/run/secrets/kubernetes.io/serviceaccount/{file}") as f:
                 return f.read()
-        except IOError:
+        except OSError:
             pass
 
 
+class AWSMetadataApi(Vulnerability, Event):
+    """Access to the AWS Metadata API exposes information about the machines associated with the cluster"""
+
+    def __init__(self, cidr):
+        Vulnerability.__init__(
+            self,
+            AWS,
+            "AWS Metadata Exposure",
+            category=InformationDisclosure,
+            vid="KHV053",
+        )
+        self.cidr = cidr
+        self.evidence = f"cidr: {cidr}"
+
+
 class AzureMetadataApi(Vulnerability, Event):
     """Access to the Azure Metadata API exposes information about the machines associated with the cluster"""
 
@@ -53,7 +67,7 @@ class AzureMetadataApi(Vulnerability, Event):
             vid="KHV003",
         )
         self.cidr = cidr
-        self.evidence = "cidr: {}".format(cidr)
+        self.evidence = f"cidr: {cidr}"
 
 
 class HostScanEvent(Event):
@@ -108,8 +122,12 @@ class FromPodHostDiscovery(Discovery):
             cloud = None
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
+            elif self.is_aws_pod_v1():
+                subnets, cloud = self.aws_metadata_v1_discovery()
+            elif self.is_aws_pod_v2():
+                subnets, cloud = self.aws_metadata_v2_discovery()
             else:
-                subnets = self.traceroute_discovery()
+                subnets = self.gateway_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -123,6 +141,46 @@ class FromPodHostDiscovery(Discovery):
             if should_scan_apiserver:
                 self.publish_event(NewHostEvent(host=IPAddress(self.event.kubeservicehost), cloud=cloud))
 
+    def is_aws_pod_v1(self):
+        config = get_config()
+        try:
+            # Instance Metadata Service v1
+            logger.debug("From pod attempting to access AWS Metadata v1 API")
+            if (
+                requests.get(
+                    "http://169.254.169.254/latest/meta-data/",
+                    timeout=config.network_timeout,
+                ).status_code
+                == 200
+            ):
+                return True
+        except requests.exceptions.ConnectionError:
+            logger.debug("Failed to connect AWS metadata server v1")
+            return False
+
+    def is_aws_pod_v2(self):
+        config = get_config()
+        try:
+            # Instance Metadata Service v2
+            logger.debug("From pod attempting to access AWS Metadata v2 API")
+            token = requests.put(
+                "http://169.254.169.254/latest/api/token/",
+                headers={"X-aws-ec2-metatadata-token-ttl-seconds": "21600"},
+                timeout=config.network_timeout,
+            ).text
+            if (
+                requests.get(
+                    "http://169.254.169.254/latest/meta-data/",
+                    headers={"X-aws-ec2-metatadata-token": token},
+                    timeout=config.network_timeout,
+                ).status_code
+                == 200
+            ):
+                return True
+        except requests.exceptions.ConnectionError:
+            logger.debug("Failed to connect AWS metadata server v2")
+            return False
+
     def is_azure_pod(self):
         config = get_config()
         try:
@@ -141,14 +199,60 @@ class FromPodHostDiscovery(Discovery):
             return False
 
     # for pod scanning
-    def traceroute_discovery(self):
+    def gateway_discovery(self):
+        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
+        return [[gateways()["default"][AF_INET][0], "24"]]
+
+    # querying AWS's interface metadata api v1 | works only from a pod
+    def aws_metadata_v1_discovery(self):
         config = get_config()
-        node_internal_ip = srp1(
-            Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(),
-            verbose=0,
+        logger.debug("From pod attempting to access aws's metadata v1")
+        mac_address = requests.get(
+            "http://169.254.169.254/latest/meta-data/mac",
             timeout=config.network_timeout,
-        )[IP].src
-        return [[node_internal_ip, "24"]]
+        ).text
+        cidr = requests.get(
+            f"http://169.254.169.254/latest/meta-data/network/interfaces/macs/{mac_address}/subnet-ipv4-cidr-block",
+            timeout=config.network_timeout,
+        ).text.split("/")
+
+        address, subnet = (cidr[0], cidr[1])
+        subnet = subnet if not config.quick else "24"
+        cidr = f"{address}/{subnet}"
+        logger.debug(f"From pod discovered subnet {cidr}")
+
+        self.publish_event(AWSMetadataApi(cidr=cidr))
+
+        return cidr, "AWS"
+
+    # querying AWS's interface metadata api v2 | works only from a pod
+    def aws_metadata_v2_discovery(self):
+        config = get_config()
+        logger.debug("From pod attempting to access aws's metadata v2")
+        token = requests.get(
+            "http://169.254.169.254/latest/api/token",
+            headers={"X-aws-ec2-metatadata-token-ttl-seconds": "21600"},
+            timeout=config.network_timeout,
+        ).text
+        mac_address = requests.get(
+            "http://169.254.169.254/latest/meta-data/mac",
+            headers={"X-aws-ec2-metatadata-token": token},
+            timeout=config.network_timeout,
+        ).text
+        cidr = requests.get(
+            f"http://169.254.169.254/latest/meta-data/network/interfaces/macs/{mac_address}/subnet-ipv4-cidr-block",
+            headers={"X-aws-ec2-metatadata-token": token},
+            timeout=config.network_timeout,
+        ).text.split("/")
+
+        address, subnet = (cidr[0], cidr[1])
+        subnet = subnet if not config.quick else "24"
+        cidr = f"{address}/{subnet}"
+        logger.debug(f"From pod discovered subnet {cidr}")
+
+        self.publish_event(AWSMetadataApi(cidr=cidr))
+
+        return cidr, "AWS"
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

kube_hunter/modules/hunting/aks.py

@@ -1,9 +1,10 @@
+import os
 import json
 import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
+from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler, SecureKubeletPortHunter
 from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ActiveHunter, IdentityTheft, Azure
@@ -14,7 +15,7 @@ logger = logging.getLogger(__name__)
 class AzureSpnExposure(Vulnerability, Event):
     """The SPN is exposed, potentially allowing an attacker to gain access to the Azure subscription"""
 
-    def __init__(self, container):
+    def __init__(self, container, evidence=""):
         Vulnerability.__init__(
             self,
             Azure,
@@ -23,9 +24,10 @@ class AzureSpnExposure(Vulnerability, Event):
             vid="KHV004",
         )
         self.container = container
+        self.evidence = evidence
 
 
-@handler.subscribe(ExposedRunHandler, predicate=lambda x: x.cloud == "Azure")
+@handler.subscribe(ExposedPodsHandler, predicate=lambda x: x.cloud_type == "Azure")
 class AzureSpnHunter(Hunter):
     """AKS Hunting
     Hunting Azure cluster deployments using specific known configurations
@@ -37,35 +39,33 @@ class AzureSpnHunter(Hunter):
 
     # getting a container that has access to the azure.json file
     def get_key_container(self):
-        config = get_config()
-        endpoint = f"{self.base_url}/pods"
         logger.debug("Trying to find container with access to azure.json file")
-        try:
-            r = requests.get(endpoint, verify=False, timeout=config.network_timeout)
-        except requests.Timeout:
-            logger.debug("failed getting pod info")
-        else:
-            pods_data = r.json().get("items", [])
-            suspicious_volume_names = []
-            for pod_data in pods_data:
-                for volume in pod_data["spec"].get("volumes", []):
-                    if volume.get("hostPath"):
-                        path = volume["hostPath"]["path"]
-                        if "/etc/kubernetes/azure.json".startswith(path):
-                            suspicious_volume_names.append(volume["name"])
-                for container in pod_data["spec"]["containers"]:
-                    for mount in container.get("volumeMounts", []):
-                        if mount["name"] in suspicious_volume_names:
-                            return {
-                                "name": container["name"],
-                                "pod": pod_data["metadata"]["name"],
-                                "namespace": pod_data["metadata"]["namespace"],
-                            }
+
+        # pods are saved in the previous event object
+        pods_data = self.event.pods
+
+        suspicious_volume_names = []
+        for pod_data in pods_data:
+            for volume in pod_data["spec"].get("volumes", []):
+                if volume.get("hostPath"):
+                    path = volume["hostPath"]["path"]
+                    if "/etc/kubernetes/azure.json".startswith(path):
+                        suspicious_volume_names.append(volume["name"])
+            for container in pod_data["spec"]["containers"]:
+                for mount in container.get("volumeMounts", []):
+                    if mount["name"] in suspicious_volume_names:
+                        return {
+                            "name": container["name"],
+                            "pod": pod_data["metadata"]["name"],
+                            "namespace": pod_data["metadata"]["namespace"],
+                            "mount": mount,
+                        }
 
     def execute(self):
         container = self.get_key_container()
         if container:
-            self.publish_event(AzureSpnExposure(container=container))
+            evidence = f"pod: {container['pod']}, namespace: {container['namespace']}"
+            self.publish_event(AzureSpnExposure(container=container, evidence=evidence))
 
 
 @handler.subscribe(AzureSpnExposure)
@@ -78,14 +78,42 @@ class ProveAzureSpnExposure(ActiveHunter):
         self.event = event
         self.base_url = f"https://{self.event.host}:{self.event.port}"
 
+    def test_run_capability(self):
+        """
+        Uses SecureKubeletPortHunter to test the /run handler
+        TODO: when multiple event subscription is implemented, use this here to make sure /run is accessible
+        """
+        debug_handlers = SecureKubeletPortHunter.DebugHandlers(path=self.base_url, session=self.event.session, pod=None)
+        return debug_handlers.test_run_container()
+
     def run(self, command, container):
         config = get_config()
-        run_url = "/".join(self.base_url, "run", container["namespace"], container["pod"], container["name"])
-        return requests.post(run_url, verify=False, params={"cmd": command}, timeout=config.network_timeout)
+        run_url = f"{self.base_url}/run/{container['namespace']}/{container['pod']}/{container['name']}"
+        return self.event.session.post(run_url, verify=False, params={"cmd": command}, timeout=config.network_timeout)
+
+    def get_full_path_to_azure_file(self):
+        """
+        Returns a full path to /etc/kubernetes/azure.json
+        Taking into consideration the difference folder of the mount inside the container.
+        TODO: implement the edge case where the mount is to parent /etc folder.
+        """
+        azure_file_path = self.event.container["mount"]["mountPath"]
+
+        # taking care of cases where a subPath is added to map the specific file
+        if not azure_file_path.endswith("azure.json"):
+            azure_file_path = os.path.join(azure_file_path, "azure.json")
+
+        return azure_file_path
 
     def execute(self):
+        if not self.test_run_capability():
+            logger.debug("Not proving AzureSpnExposure because /run debug handler is disabled")
+            return
+
         try:
-            subscription = self.run("cat /etc/kubernetes/azure.json", container=self.event.container).json()
+            azure_file_path = self.get_full_path_to_azure_file()
+            logger.debug(f"trying to access the azure.json at the resolved path: {azure_file_path}")
+            subscription = self.run(f"cat {azure_file_path}", container=self.event.container).json()
         except requests.Timeout:
             logger.debug("failed to run command in container", exc_info=True)
         except json.decoder.JSONDecodeError:

kube_hunter/modules/hunting/apiserver.py

@@ -56,16 +56,19 @@ class ServerApiHTTPAccess(Vulnerability, Event):
 
 
 class ApiInfoDisclosure(Vulnerability, Event):
+    """Information Disclosure depending upon RBAC permissions and Kube-Cluster Setup"""
+
     def __init__(self, evidence, using_token, name):
+        category = InformationDisclosure
         if using_token:
-            name += " using service account token"
+            name += " using default service account token"
         else:
             name += " as anonymous user"
         Vulnerability.__init__(
             self,
             KubernetesCluster,
             name=name,
-            category=InformationDisclosure,
+            category=category,
             vid="KHV007",
         )
         self.evidence = evidence
@@ -343,7 +346,7 @@ class AccessApiServer(Hunter):
             else:
                 self.publish_event(ServerApiAccess(api, self.with_token))
 
-        namespaces = self.get_items("{path}/api/v1/namespaces".format(path=self.path))
+        namespaces = self.get_items(f"{self.path}/api/v1/namespaces")
         if namespaces:
             self.publish_event(ListNamespaces(namespaces, self.with_token))
 
@@ -371,7 +374,7 @@ class AccessApiServerWithToken(AccessApiServer):
     """
 
     def __init__(self, event):
-        super(AccessApiServerWithToken, self).__init__(event)
+        super().__init__(event)
         assert self.event.auth_token
         self.headers = {"Authorization": f"Bearer {self.event.auth_token}"}
         self.category = InformationDisclosure

kube_hunter/modules/hunting/arp.py

@@ -43,7 +43,7 @@ class ArpSpoofHunter(ActiveHunter):
     def detect_l3_on_host(self, arp_responses):
         """ returns True for an existence of an L3 network plugin """
         logger.debug("Attempting to detect L3 network plugin using ARP")
-        unique_macs = list(set(response[ARP].hwsrc for _, response in arp_responses))
+        unique_macs = list({response[ARP].hwsrc for _, response in arp_responses})
 
         # if LAN addresses not unique
         if len(unique_macs) == 1:

kube_hunter/modules/hunting/certificates.py

@@ -8,11 +8,13 @@ from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)
-email_pattern = re.compile(rb"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
+email_pattern = re.compile(rb"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)")
 
 
 class CertificateEmail(Vulnerability, Event):
-    """Certificate includes an email address"""
+    """The Kubernetes API Server advertises a public certificate for TLS.
+    This certificate includes an email address, that may provide additional information for an attacker on your
+    organization, or be abused for further email based attacks."""
 
     def __init__(self, email):
         Vulnerability.__init__(
@@ -23,7 +25,7 @@ class CertificateEmail(Vulnerability, Event):
             vid="KHV021",
         )
         self.email = email
-        self.evidence = "email: {}".format(self.email)
+        self.evidence = f"email: {self.email}"
 
 
 @handler.subscribe(Service)

kube_hunter/modules/hunting/cves.py

@@ -104,7 +104,7 @@ class IncompleteFixToKubectlCpVulnerability(Vulnerability, Event):
             vid="KHV027",
         )
         self.binary_version = binary_version
-        self.evidence = "kubectl version: {}".format(self.binary_version)
+        self.evidence = f"kubectl version: {self.binary_version}"
 
 
 class KubectlCpVulnerability(Vulnerability, Event):
@@ -120,7 +120,7 @@ class KubectlCpVulnerability(Vulnerability, Event):
             vid="KHV028",
         )
         self.binary_version = binary_version
-        self.evidence = "kubectl version: {}".format(self.binary_version)
+        self.evidence = f"kubectl version: {self.binary_version}"
 
 
 class CveUtils:

kube_hunter/modules/hunting/dns.py

@@ -25,7 +25,7 @@ class PossibleDnsSpoofing(Vulnerability, Event):
             vid="KHV030",
         )
         self.kubedns_pod_ip = kubedns_pod_ip
-        self.evidence = "kube-dns at: {}".format(self.kubedns_pod_ip)
+        self.evidence = f"kube-dns at: {self.kubedns_pod_ip}"
 
 
 # Only triggered with RunningAsPod base event

kube_hunter/modules/hunting/kubelet.py

@@ -35,10 +35,7 @@ class ExposedPodsHandler(Vulnerability, Event):
 
     def __init__(self, pods):
         Vulnerability.__init__(
-            self,
-            component=Kubelet,
-            name="Exposed Pods",
-            category=InformationDisclosure,
+            self, component=Kubelet, name="Exposed Pods", category=InformationDisclosure, vid="KHV052"
         )
         self.pods = pods
         self.evidence = f"count: {len(self.pods)}"
@@ -84,7 +81,7 @@ class ExposedRunningPodsHandler(Vulnerability, Event):
             vid="KHV038",
         )
         self.count = count
-        self.evidence = "{} running pods".format(self.count)
+        self.evidence = f"{self.count} running pods"
 
 
 class ExposedExecHandler(Vulnerability, Event):
@@ -347,27 +344,23 @@ class SecureKubeletPortHunter(Hunter):
 
         # need further investigation on websockets protocol for further implementation
         def test_port_forward(self):
-            config = get_config()
-            headers = {
-                "Upgrade": "websocket",
-                "Connection": "Upgrade",
-                "Sec-Websocket-Key": "s",
-                "Sec-Websocket-Version": "13",
-                "Sec-Websocket-Protocol": "SPDY",
-            }
-            pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
-                pod_namespace=self.pod["namespace"],
-                pod_id=self.pod["name"],
-                port=80,
-            )
-            self.session.get(
-                pf_url,
-                headers=headers,
-                verify=False,
-                stream=True,
-                timeout=config.network_timeout,
-            ).status_code == 200
+            pass
             # TODO: what to return?
+            # Example starting code:
+            #
+            # config = get_config()
+            # headers = {
+            #     "Upgrade": "websocket",
+            #     "Connection": "Upgrade",
+            #     "Sec-Websocket-Key": "s",
+            #     "Sec-Websocket-Version": "13",
+            #     "Sec-Websocket-Protocol": "SPDY",
+            # }
+            # pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
+            #     pod_namespace=self.pod["namespace"],
+            #     pod_id=self.pod["name"],
+            #     port=80,
+            # )
 
         # executes one command and returns output
         def test_run_container(self):
@@ -378,8 +371,9 @@ class SecureKubeletPortHunter(Hunter):
                 container_name="test",
                 cmd="",
             )
-            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
-            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
+            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
+            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
+            return status_code == requests.codes.NOT_FOUND
 
         # returns list of currently running pods
         def test_running_pods(self):
@@ -532,7 +526,7 @@ class ProveAnonymousAuth(ActiveHunter):
 
     def __init__(self, event):
         self.event = event
-        self.base_url = "https://{host}:10250/".format(host=self.event.host)
+        self.base_url = f"https://{self.event.host}:10250/"
 
     def get_request(self, url, verify=False):
         config = get_config()
@@ -571,7 +565,7 @@ class ProveAnonymousAuth(ActiveHunter):
         return ProveAnonymousAuth.has_no_error(result) and ProveAnonymousAuth.has_no_exception(result)
 
     def cat_command(self, run_request_url, full_file_path):
-        return self.post_request(run_request_url, {"cmd": "cat {}".format(full_file_path)})
+        return self.post_request(run_request_url, {"cmd": f"cat {full_file_path}"})
 
     def process_container(self, run_request_url):
         service_account_token = self.cat_command(run_request_url, "/var/run/secrets/kubernetes.io/serviceaccount/token")
@@ -608,7 +602,7 @@ class ProveAnonymousAuth(ActiveHunter):
                 for container_data in pod_data["spec"]["containers"]:
                     container_name = container_data["name"]
 
-                    run_request_url = self.base_url + "run/{}/{}/{}".format(pod_namespace, pod_id, container_name)
+                    run_request_url = self.base_url + f"run/{pod_namespace}/{pod_id}/{container_name}"
 
                     extracted_data = self.process_container(run_request_url)
 
@@ -617,11 +611,11 @@ class ProveAnonymousAuth(ActiveHunter):
                         environment_variables = extracted_data["environment_variables"]
 
                         temp_message += (
-                            "\n\nPod namespace: {}".format(pod_namespace)
-                            + "\n\nPod ID: {}".format(pod_id)
-                            + "\n\nContainer name: {}".format(container_name)
-                            + "\n\nService account token: {}".format(service_account_token)
-                            + "\nEnvironment variables: {}".format(environment_variables)
+                            f"\n\nPod namespace: {pod_namespace}"
+                            + f"\n\nPod ID: {pod_id}"
+                            + f"\n\nContainer name: {container_name}"
+                            + f"\n\nService account token: {service_account_token}"
+                            + f"\nEnvironment variables: {environment_variables}"
                         )
 
                         first_check = container_data.get("securityContext", {}).get("privileged")
@@ -646,7 +640,7 @@ class ProveAnonymousAuth(ActiveHunter):
             if temp_message:
                 message = "The following containers have been successfully breached." + temp_message
 
-                self.event.evidence = "{}".format(message)
+                self.event.evidence = f"{message}"
 
             if exposed_existing_privileged_containers:
                 self.publish_event(
@@ -666,7 +660,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
 
     def __init__(self, event, seconds_to_wait_for_os_command=1):
         self.event = event
-        self.base_url = "https://{host}:10250/".format(host=self.event.host)
+        self.base_url = f"https://{self.event.host}:10250/"
         self.seconds_to_wait_for_os_command = seconds_to_wait_for_os_command
         self.number_of_rm_attempts = 5
         self.number_of_rmdir_attempts = 5
@@ -685,7 +679,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
             return "Exception: " + str(ex)
 
     def cat_command(self, run_request_url, full_file_path):
-        return self.post_request(run_request_url, {"cmd": "cat {}".format(full_file_path)})
+        return self.post_request(run_request_url, {"cmd": f"cat {full_file_path}"})
 
     def clean_attacked_exposed_existing_privileged_container(
         self,
@@ -701,7 +695,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
 
         self.rm_command(
             run_request_url,
-            "{}/etc/cron.daily/{}".format(directory_created, file_created),
+            f"{directory_created}/etc/cron.daily/{file_created}",
             number_of_rm_attempts,
             seconds_to_wait_for_os_command,
         )
@@ -729,9 +723,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
     def rm_command(self, run_request_url, file_to_remove, number_of_rm_attempts, seconds_to_wait_for_os_command):
         if self.check_file_exists(run_request_url, file_to_remove):
             for _ in range(number_of_rm_attempts):
-                command_execution_outcome = self.post_request(
-                    run_request_url, {"cmd": "rm -f {}".format(file_to_remove)}
-                )
+                command_execution_outcome = self.post_request(run_request_url, {"cmd": f"rm -f {file_to_remove}"})
 
                 if seconds_to_wait_for_os_command:
                     time.sleep(seconds_to_wait_for_os_command)
@@ -758,10 +750,10 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
         return False
 
     def chmod_command(self, run_request_url, permissions, file):
-        return self.post_request(run_request_url, {"cmd": "chmod {} {}".format(permissions, file)})
+        return self.post_request(run_request_url, {"cmd": f"chmod {permissions} {file}"})
 
     def touch_command(self, run_request_url, file_to_create):
-        return self.post_request(run_request_url, {"cmd": "touch {}".format(file_to_create)})
+        return self.post_request(run_request_url, {"cmd": f"touch {file_to_create}"})
 
     def attack_exposed_existing_privileged_container(
         self, run_request_url, directory_created, number_of_rm_attempts, seconds_to_wait_for_os_command, file_name=None
@@ -769,7 +761,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
         if file_name is None:
             file_name = "kube-hunter" + str(uuid.uuid1())
 
-        file_name_with_path = "{}/etc/cron.daily/{}".format(directory_created, file_name)
+        file_name_with_path = f"{directory_created}/etc/cron.daily/{file_name}"
 
         file_created = self.touch_command(run_request_url, file_name_with_path)
 
@@ -797,9 +789,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
     ):
         if self.check_directory_exists(run_request_url, directory_to_remove):
             for _ in range(number_of_rmdir_attempts):
-                command_execution_outcome = self.post_request(
-                    run_request_url, {"cmd": "rmdir {}".format(directory_to_remove)}
-                )
+                command_execution_outcome = self.post_request(run_request_url, {"cmd": f"rmdir {directory_to_remove}"})
 
                 if seconds_to_wait_for_os_command:
                     time.sleep(seconds_to_wait_for_os_command)
@@ -826,7 +816,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
         return False
 
     def ls_command(self, run_request_url, file_or_directory):
-        return self.post_request(run_request_url, {"cmd": "ls {}".format(file_or_directory)})
+        return self.post_request(run_request_url, {"cmd": f"ls {file_or_directory}"})
 
     def umount_command(
         self,
@@ -844,7 +834,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
             for _ in range(number_of_umount_attempts):
                 # Ref: http://man7.org/linux/man-pages/man2/umount.2.html
                 command_execution_outcome = self.post_request(
-                    run_request_url, {"cmd": "umount {} {}".format(file_system_or_partition, directory)}
+                    run_request_url, {"cmd": f"umount {file_system_or_partition} {directory}"}
                 )
 
                 if seconds_to_wait_for_os_command:
@@ -875,16 +865,16 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
 
     def mount_command(self, run_request_url, file_system_or_partition, directory):
         # Ref: http://man7.org/linux/man-pages/man1/mkdir.1.html
-        return self.post_request(run_request_url, {"cmd": "mount {} {}".format(file_system_or_partition, directory)})
+        return self.post_request(run_request_url, {"cmd": f"mount {file_system_or_partition} {directory}"})
 
     def mkdir_command(self, run_request_url, directory_to_create):
         # Ref: http://man7.org/linux/man-pages/man1/mkdir.1.html
-        return self.post_request(run_request_url, {"cmd": "mkdir {}".format(directory_to_create)})
+        return self.post_request(run_request_url, {"cmd": f"mkdir {directory_to_create}"})
 
     def findfs_command(self, run_request_url, file_system_or_partition_type, file_system_or_partition):
         # Ref: http://man7.org/linux/man-pages/man8/findfs.8.html
         return self.post_request(
-            run_request_url, {"cmd": "findfs {}{}".format(file_system_or_partition_type, file_system_or_partition)}
+            run_request_url, {"cmd": f"findfs {file_system_or_partition_type}{file_system_or_partition}"}
         )
 
     def get_root_values(self, command_line):
@@ -943,9 +933,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
                             )
 
                             if ProveAnonymousAuth.has_no_error_nor_exception(mounted_file_system_or_partition):
-                                host_name = self.cat_command(
-                                    run_request_url, "{}/etc/hostname".format(directory_created)
-                                )
+                                host_name = self.cat_command(run_request_url, f"{directory_created}/etc/hostname")
 
                                 if ProveAnonymousAuth.has_no_error_nor_exception(host_name):
                                     return {
@@ -979,7 +967,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
             pod_id = exposed_existing_privileged_containers["pod_id"]
             container_name = exposed_existing_privileged_containers["container_name"]
 
-            run_request_url = self.base_url + "run/{}/{}/{}".format(pod_namespace, pod_id, container_name)
+            run_request_url = self.base_url + f"run/{pod_namespace}/{pod_id}/{container_name}"
 
             is_exposed_existing_privileged_container_privileged = self.process_exposed_existing_privileged_container(
                 run_request_url,
@@ -1029,7 +1017,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
                 + temp_message
             )
 
-            self.event.evidence = "{}".format(message)
+            self.event.evidence = f"{message}"
         else:
             message = (
                 "The following exposed existing privileged containers"
@@ -1038,7 +1026,7 @@ class MaliciousIntentViaSecureKubeletPort(ActiveHunter):
                 + temp_message
             )
 
-            self.event.evidence = "{}".format(message)
+            self.event.evidence = f"{message}"
 
 
 @handler.subscribe(ExposedRunHandler)
@@ -1145,11 +1133,16 @@ class ProveSystemLogs(ActiveHunter):
             f"{self.base_url}/" + KubeletHandlers.LOGS.value.format(path="audit/audit.log"),
             verify=False,
             timeout=config.network_timeout,
-        ).text
-        logger.debug(f"Audit log of host {self.event.host}: {audit_logs[:10]}")
-        # iterating over proctitles and converting them into readable strings
-        proctitles = []
-        for proctitle in re.findall(r"proctitle=(\w+)", audit_logs):
-            proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
-        self.event.proctitles = proctitles
-        self.event.evidence = f"audit log: {proctitles}"
+        )
+
+        # TODO: add more methods for proving system logs
+        if audit_logs.status_code == requests.status_codes.codes.OK:
+            logger.debug(f"Audit log of host {self.event.host}: {audit_logs.text[:10]}")
+            # iterating over proctitles and converting them into readable strings
+            proctitles = []
+            for proctitle in re.findall(r"proctitle=(\w+)", audit_logs.text):
+                proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
+            self.event.proctitles = proctitles
+            self.event.evidence = f"audit log: {proctitles}"
+        else:
+            self.event.evidence = "Could not parse system logs"

kube_hunter/modules/hunting/mounts.py

@@ -32,7 +32,7 @@ class WriteMountToVarLog(Vulnerability, Event):
             vid="KHV047",
         )
         self.pods = pods
-        self.evidence = "pods: {}".format(", ".join((pod["metadata"]["name"] for pod in self.pods)))
+        self.evidence = "pods: {}".format(", ".join(pod["metadata"]["name"] for pod in self.pods))
 
 
 class DirectoryTraversalWithKubelet(Vulnerability, Event):
@@ -47,7 +47,7 @@ class DirectoryTraversalWithKubelet(Vulnerability, Event):
             category=PrivilegeEscalation,
         )
         self.output = output
-        self.evidence = "output: {}".format(self.output)
+        self.evidence = f"output: {self.output}"
 
 
 @handler.subscribe(ExposedPodsHandler)

kube_hunter/modules/report/base.py

@@ -7,6 +7,9 @@ from kube_hunter.modules.report.collector import (
     vulnerabilities_lock,
 )
 
+BASE_KB_LINK = "https://avd.aquasec.com/"
+FULL_KB_LINK = "https://avd.aquasec.com/kube-hunter/{vid}/"
+
 
 class BaseReporter:
     def get_nodes(self):
@@ -38,6 +41,7 @@ class BaseReporter:
                     "vulnerability": vuln.get_name(),
                     "description": vuln.explain(),
                     "evidence": str(vuln.evidence),
+                    "avd_reference": FULL_KB_LINK.format(vid=vuln.get_vid().lower()),
                     "hunter": vuln.hunter.get_name(),
                 }
                 for vuln in vulnerabilities
@@ -63,6 +67,4 @@ class BaseReporter:
         if statistics:
             report["hunter_statistics"] = self.get_hunter_statistics()
 
-        report["kburl"] = "https://aquasecurity.github.io/kube-hunter/kb/{vid}"
-
         return report

kube_hunter/modules/report/plain.py

@@ -1,6 +1,6 @@
 from prettytable import ALL, PrettyTable
 
-from kube_hunter.modules.report.base import BaseReporter
+from kube_hunter.modules.report.base import BaseReporter, BASE_KB_LINK
 from kube_hunter.modules.report.collector import (
     services,
     vulnerabilities,
@@ -11,7 +11,6 @@ from kube_hunter.modules.report.collector import (
 
 EVIDENCE_PREVIEW = 100
 MAX_TABLE_WIDTH = 20
-KB_LINK = "https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb"
 
 
 class PlainReporter(BaseReporter):
@@ -60,7 +59,7 @@ class PlainReporter(BaseReporter):
             if service.event_id not in id_memory:
                 nodes_table.add_row(["Node/Master", service.host])
                 id_memory.add(service.event_id)
-        nodes_ret = "\nNodes\n{}\n".format(nodes_table)
+        nodes_ret = f"\nNodes\n{nodes_table}\n"
         services_lock.release()
         return nodes_ret
 
@@ -114,7 +113,7 @@ class PlainReporter(BaseReporter):
         return (
             "\nVulnerabilities\n"
             "For further information about a vulnerability, search its ID in: \n"
-            f"{KB_LINK}\n{vuln_table}\n"
+            f"{BASE_KB_LINK}\n{vuln_table}\n"
         )
 
     def hunters_table(self):

pyinstaller_hooks/hook-prettytable.py

@@ -0,0 +1,3 @@
+from PyInstaller.utils.hooks import collect_all
+
+datas, binaries, hiddenimports = collect_all("prettytable")

setup.py

@@ -41,6 +41,8 @@ class PyInstallerCommand(Command):
         cfg.read("setup.cfg")
         command = [
             "pyinstaller",
+            "--additional-hooks-dir",
+            "pyinstaller_hooks",
             "--clean",
             "--onefile",
             "--name",

tests/discovery/test_apiserver.py

@@ -123,7 +123,7 @@ def test_InsecureApiServer():
 
 # We should only generate an ApiServer event for a response that looks like it came from a Kubernetes node
 @handler.subscribe(ApiServer)
-class testApiServer(object):
+class testApiServer:
     def __init__(self, event):
         print("Event")
         assert event.host == "mockKubernetes"

tests/discovery/test_hosts.py

@@ -1,4 +1,12 @@
 # flake8: noqa: E402
+from kube_hunter.modules.discovery.hosts import (
+    FromPodHostDiscovery,
+    RunningAsPodEvent,
+    HostScanEvent,
+    HostDiscoveryHelpers,
+)
+from kube_hunter.core.types import Hunter
+from kube_hunter.core.events import handler
 import json
 import requests_mock
 import pytest
@@ -9,19 +17,10 @@ from kube_hunter.conf import Config, get_config, set_config
 
 set_config(Config())
 
-from kube_hunter.core.events import handler
-from kube_hunter.core.types import Hunter
-from kube_hunter.modules.discovery.hosts import (
-    FromPodHostDiscovery,
-    RunningAsPodEvent,
-    HostScanEvent,
-    HostDiscoveryHelpers,
-)
-
 
 class TestFromPodHostDiscovery:
     @staticmethod
-    def _make_response(*subnets: List[tuple]) -> str:
+    def _make_azure_response(*subnets: List[tuple]) -> str:
         return json.dumps(
             {
                 "network": {
@@ -32,6 +31,10 @@ class TestFromPodHostDiscovery:
             }
         )
 
+    @staticmethod
+    def _make_aws_response(*data: List[str]) -> str:
+        return "\n".join(data)
+
     def test_is_azure_pod_request_fail(self):
         f = FromPodHostDiscovery(RunningAsPodEvent())
 
@@ -47,12 +50,125 @@ class TestFromPodHostDiscovery:
         with requests_mock.Mocker() as m:
             m.get(
                 "http://169.254.169.254/metadata/instance?api-version=2017-08-01",
-                text=TestFromPodHostDiscovery._make_response(("3.4.5.6", "255.255.255.252")),
+                text=TestFromPodHostDiscovery._make_azure_response(("3.4.5.6", "255.255.255.252")),
             )
             result = f.is_azure_pod()
 
         assert result
 
+    def test_is_aws_pod_v1_request_fail(self):
+        f = FromPodHostDiscovery(RunningAsPodEvent())
+
+        with requests_mock.Mocker() as m:
+            m.get("http://169.254.169.254/latest/meta-data/", status_code=404)
+            result = f.is_aws_pod_v1()
+
+        assert not result
+
+    def test_is_aws_pod_v1_success(self):
+        f = FromPodHostDiscovery(RunningAsPodEvent())
+
+        with requests_mock.Mocker() as m:
+            m.get(
+                "http://169.254.169.254/latest/meta-data/",
+                text=TestFromPodHostDiscovery._make_aws_response(
+                    "\n".join(
+                        (
+                            "ami-id",
+                            "ami-launch-index",
+                            "ami-manifest-path",
+                            "block-device-mapping/",
+                            "events/",
+                            "hostname",
+                            "iam/",
+                            "instance-action",
+                            "instance-id",
+                            "instance-type",
+                            "local-hostname",
+                            "local-ipv4",
+                            "mac",
+                            "metrics/",
+                            "network/",
+                            "placement/",
+                            "profile",
+                            "public-hostname",
+                            "public-ipv4",
+                            "public-keys/",
+                            "reservation-id",
+                            "security-groups",
+                            "services/",
+                        )
+                    ),
+                ),
+            )
+            result = f.is_aws_pod_v1()
+
+        assert result
+
+    def test_is_aws_pod_v2_request_fail(self):
+        f = FromPodHostDiscovery(RunningAsPodEvent())
+
+        with requests_mock.Mocker() as m:
+            m.put(
+                "http://169.254.169.254/latest/api/token/",
+                headers={"X-aws-ec2-metatadata-token-ttl-seconds": "21600"},
+                status_code=404,
+            )
+            m.get(
+                "http://169.254.169.254/latest/meta-data/",
+                headers={"X-aws-ec2-metatadata-token": "token"},
+                status_code=404,
+            )
+            result = f.is_aws_pod_v2()
+
+        assert not result
+
+    def test_is_aws_pod_v2_success(self):
+        f = FromPodHostDiscovery(RunningAsPodEvent())
+
+        with requests_mock.Mocker() as m:
+            m.put(
+                "http://169.254.169.254/latest/api/token/",
+                headers={"X-aws-ec2-metatadata-token-ttl-seconds": "21600"},
+                text=TestFromPodHostDiscovery._make_aws_response("token"),
+            )
+            m.get(
+                "http://169.254.169.254/latest/meta-data/",
+                headers={"X-aws-ec2-metatadata-token": "token"},
+                text=TestFromPodHostDiscovery._make_aws_response(
+                    "\n".join(
+                        (
+                            "ami-id",
+                            "ami-launch-index",
+                            "ami-manifest-path",
+                            "block-device-mapping/",
+                            "events/",
+                            "hostname",
+                            "iam/",
+                            "instance-action",
+                            "instance-id",
+                            "instance-type",
+                            "local-hostname",
+                            "local-ipv4",
+                            "mac",
+                            "metrics/",
+                            "network/",
+                            "placement/",
+                            "profile",
+                            "public-hostname",
+                            "public-ipv4",
+                            "public-keys/",
+                            "reservation-id",
+                            "security-groups",
+                            "services/",
+                        )
+                    ),
+                ),
+            )
+            result = f.is_aws_pod_v2()
+
+        assert result
+
     def test_execute_scan_cidr(self):
         set_config(Config(cidr="1.2.3.4/30"))
         f = FromPodHostDiscovery(RunningAsPodEvent())
@@ -90,7 +206,7 @@ class TestDiscoveryUtils:
     def test_generate_hosts_valid_ignore():
         remove = IPAddress("192.168.1.8")
         scan = "192.168.1.0/24"
-        expected = set(ip for ip in IPNetwork(scan) if ip != remove)
+        expected = {ip for ip in IPNetwork(scan) if ip != remove}
 
         actual = set(HostDiscoveryHelpers.generate_hosts([scan, f"!{str(remove)}"]))
 

tests/hunting/test_aks.py

@@ -3,54 +3,47 @@ import requests_mock
 
 from kube_hunter.conf import Config, set_config
 
+import json
+
 set_config(Config())
 
-from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
+from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler
 from kube_hunter.modules.hunting.aks import AzureSpnHunter
 
 
 def test_AzureSpnHunter():
-    e = ExposedRunHandler()
-    e.host = "mockKubernetes"
-    e.port = 443
-    e.protocol = "https"
-
+    e = ExposedPodsHandler(pods=[])
     pod_template = '{{"items":[ {{"apiVersion":"v1","kind":"Pod","metadata":{{"name":"etc","namespace":"default"}},"spec":{{"containers":[{{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{{"mountPath":"/mp","name":"v"}}]}}],"volumes":[{{"hostPath":{{"path":"{}"}},"name":"v"}}]}}}} ]}}'
 
     bad_paths = ["/", "/etc", "/etc/", "/etc/kubernetes", "/etc/kubernetes/azure.json"]
     good_paths = ["/yo", "/etc/yo", "/etc/kubernetes/yo.json"]
 
     for p in bad_paths:
-        with requests_mock.Mocker() as m:
-            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
-            h = AzureSpnHunter(e)
-            c = h.get_key_container()
-            assert c
+        e.pods = json.loads(pod_template.format(p))["items"]
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c
 
     for p in good_paths:
-        with requests_mock.Mocker() as m:
-            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
-            h = AzureSpnHunter(e)
-            c = h.get_key_container()
-            assert c == None
-
-    with requests_mock.Mocker() as m:
-        pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_no_volume_mounts)
+        e.pods = json.loads(pod_template.format(p))["items"]
         h = AzureSpnHunter(e)
         c = h.get_key_container()
         assert c == None
 
-    with requests_mock.Mocker() as m:
-        pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_no_volumes)
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c == None
+    pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
+    e.pods = json.loads(pod_no_volume_mounts)["items"]
+    h = AzureSpnHunter(e)
+    c = h.get_key_container()
+    assert c == None
 
-    with requests_mock.Mocker() as m:
-        pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
-        m.get("https://mockKubernetes:443/pods", text=pod_other_volume)
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c == None
+    pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
+    e.pods = json.loads(pod_no_volumes)["items"]
+    h = AzureSpnHunter(e)
+    c = h.get_key_container()
+    assert c == None
+
+    pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
+    e.pods = json.loads(pod_other_volume)["items"]
+    h = AzureSpnHunter(e)
+    c = h.get_key_container()
+    assert c == None

tests/hunting/test_apiserver_hunter.py

@@ -122,7 +122,7 @@ def test_AccessApiServer():
 
 
 @handler.subscribe(ListNamespaces)
-class test_ListNamespaces(object):
+class test_ListNamespaces:
     def __init__(self, event):
         print("ListNamespaces")
         assert event.evidence == ["hello"]
@@ -135,7 +135,7 @@ class test_ListNamespaces(object):
 
 
 @handler.subscribe(ListPodsAndNamespaces)
-class test_ListPodsAndNamespaces(object):
+class test_ListPodsAndNamespaces:
     def __init__(self, event):
         print("ListPodsAndNamespaces")
         assert len(event.evidence) == 2
@@ -158,7 +158,7 @@ class test_ListPodsAndNamespaces(object):
 
 # Should never see this because the API call in the test returns 403 status code
 @handler.subscribe(ListRoles)
-class test_ListRoles(object):
+class test_ListRoles:
     def __init__(self, event):
         print("ListRoles")
         assert 0
@@ -169,7 +169,7 @@ class test_ListRoles(object):
 # Should only see this when we have a token because the API call returns an empty list of items
 # in the test where we have no token
 @handler.subscribe(ListClusterRoles)
-class test_ListClusterRoles(object):
+class test_ListClusterRoles:
     def __init__(self, event):
         print("ListClusterRoles")
         assert event.auth_token == "so-secret"
@@ -178,7 +178,7 @@ class test_ListClusterRoles(object):
 
 
 @handler.subscribe(ServerApiAccess)
-class test_ServerApiAccess(object):
+class test_ServerApiAccess:
     def __init__(self, event):
         print("ServerApiAccess")
         if event.category == UnauthenticatedAccess:
@@ -191,7 +191,7 @@ class test_ServerApiAccess(object):
 
 
 @handler.subscribe(ApiServerPassiveHunterFinished)
-class test_PassiveHunterFinished(object):
+class test_PassiveHunterFinished:
     def __init__(self, event):
         print("PassiveHunterFinished")
         assert event.namespaces == ["hello"]
@@ -276,12 +276,12 @@ def test_AccessApiServerActive():
 
 
 @handler.subscribe(CreateANamespace)
-class test_CreateANamespace(object):
+class test_CreateANamespace:
     def __init__(self, event):
         assert "abcde" in event.evidence
 
 
 @handler.subscribe(DeleteANamespace)
-class test_DeleteANamespace(object):
+class test_DeleteANamespace:
     def __init__(self, event):
         assert "2019-02-26" in event.evidence

tests/hunting/test_certificates.py

@@ -37,6 +37,6 @@ rceJuGsnJEQ=
 
 
 @handler.subscribe(CertificateEmail)
-class test_CertificateEmail(object):
+class test_CertificateEmail:
     def __init__(self, event):
         assert event.email == b"build@nodejs.org0"

tests/hunting/test_cvehunting.py

@@ -41,7 +41,7 @@ def test_K8sCveHunter():
 
 
 @handler.subscribe(ServerApiVersionEndPointAccessPE)
-class test_CVE_2018_1002105(object):
+class test_CVE_2018_1002105:
     def __init__(self, event):
         global cve_counter
         cve_counter += 1

tests/hunting/test_kubelet.py

@@ -270,7 +270,7 @@ def test_proveanonymousauth_connectivity_issues():
 
 
 @handler.subscribe(ExposedExistingPrivilegedContainersViaSecureKubeletPort)
-class ExposedPrivilegedContainersViaAnonymousAuthEnabledInSecureKubeletPortEventCounter(object):
+class ExposedPrivilegedContainersViaAnonymousAuthEnabledInSecureKubeletPortEventCounter:
     def __init__(self, event):
         global counter
         counter += 1
@@ -371,9 +371,9 @@ def test_attack_exposed_existing_privileged_container_success():
         run_url = url + "run/kube-hunter-privileged/kube-hunter-privileged-deployment-86dc79f945-sjjps/ubuntu?cmd="
         directory_created = "/kube-hunter-mock_" + str(uuid.uuid1())
         file_name = "kube-hunter-mock" + str(uuid.uuid1())
-        file_name_with_path = "{}/etc/cron.daily/{}".format(directory_created, file_name)
+        file_name_with_path = f"{directory_created}/etc/cron.daily/{file_name}"
 
-        session_mock.post(run_url + urllib.parse.quote("touch {}".format(file_name_with_path), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"touch {file_name_with_path}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("chmod {} {}".format("755", file_name_with_path), safe=""), text=""
         )
@@ -395,12 +395,12 @@ def test_attack_exposed_existing_privileged_container_failure_when_touch():
     with requests_mock.Mocker(session=class_being_tested.event.session) as session_mock:
         directory_created = "/kube-hunter-mock_" + str(uuid.uuid1())
         file_name = "kube-hunter-mock" + str(uuid.uuid1())
-        file_name_with_path = "{}/etc/cron.daily/{}".format(directory_created, file_name)
+        file_name_with_path = f"{directory_created}/etc/cron.daily/{file_name}"
 
         url = "https://localhost:10250/"
         run_url = url + "run/kube-hunter-privileged/kube-hunter-privileged-deployment-86dc79f945-sjjps/ubuntu?cmd="
         session_mock.post(
-            run_url + urllib.parse.quote("touch {}".format(file_name_with_path), safe=""),
+            run_url + urllib.parse.quote(f"touch {file_name_with_path}", safe=""),
             text="Operation not permitted",
         )
 
@@ -420,11 +420,11 @@ def test_attack_exposed_existing_privileged_container_failure_when_chmod():
     with requests_mock.Mocker(session=class_being_tested.event.session) as session_mock:
         directory_created = "/kube-hunter-mock_" + str(uuid.uuid1())
         file_name = "kube-hunter-mock" + str(uuid.uuid1())
-        file_name_with_path = "{}/etc/cron.daily/{}".format(directory_created, file_name)
+        file_name_with_path = f"{directory_created}/etc/cron.daily/{file_name}"
 
         url = "https://localhost:10250/"
         run_url = url + "run/kube-hunter-privileged/kube-hunter-privileged-deployment-86dc79f945-sjjps/ubuntu?cmd="
-        session_mock.post(run_url + urllib.parse.quote("touch {}".format(file_name_with_path), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"touch {file_name_with_path}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("chmod {} {}".format("755", file_name_with_path), safe=""),
             text="Permission denied",
@@ -547,12 +547,12 @@ def test_process_exposed_existing_privileged_container_success():
 
         session_mock.post(run_url + urllib.parse.quote("cat /proc/cmdline", safe=""), text=cat_proc_cmdline)
         session_mock.post(run_url + urllib.parse.quote("findfs LABEL=Mock", safe=""), text="/dev/mock_fs")
-        session_mock.post(run_url + urllib.parse.quote("mkdir {}".format(directory_created), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"mkdir {directory_created}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("mount {} {}".format("/dev/mock_fs", directory_created), safe=""), text=""
         )
         session_mock.post(
-            run_url + urllib.parse.quote("cat {}/etc/hostname".format(directory_created), safe=""), text="mockhostname"
+            run_url + urllib.parse.quote(f"cat {directory_created}/etc/hostname", safe=""), text="mockhostname"
         )
 
         return_value = class_being_tested.process_exposed_existing_privileged_container(
@@ -619,9 +619,7 @@ def test_process_exposed_existing_privileged_container_failure_when_mkdir():
 
         session_mock.post(run_url + urllib.parse.quote("cat /proc/cmdline", safe=""), text=cat_proc_cmdline)
         session_mock.post(run_url + urllib.parse.quote("findfs LABEL=Mock", safe=""), text="/dev/mock_fs")
-        session_mock.post(
-            run_url + urllib.parse.quote("mkdir {}".format(directory_created), safe=""), text="Permission denied"
-        )
+        session_mock.post(run_url + urllib.parse.quote(f"mkdir {directory_created}", safe=""), text="Permission denied")
 
         return_value = class_being_tested.process_exposed_existing_privileged_container(
             url + "run/kube-hunter-privileged/kube-hunter-privileged-deployment-86dc79f945-sjjps/ubuntu",
@@ -644,7 +642,7 @@ def test_process_exposed_existing_privileged_container_failure_when_mount():
 
         session_mock.post(run_url + urllib.parse.quote("cat /proc/cmdline", safe=""), text=cat_proc_cmdline)
         session_mock.post(run_url + urllib.parse.quote("findfs LABEL=Mock", safe=""), text="/dev/mock_fs")
-        session_mock.post(run_url + urllib.parse.quote("mkdir {}".format(directory_created), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"mkdir {directory_created}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("mount {} {}".format("/dev/mock_fs", directory_created), safe=""),
             text="Permission denied",
@@ -671,12 +669,12 @@ def test_process_exposed_existing_privileged_container_failure_when_cat_hostname
 
         session_mock.post(run_url + urllib.parse.quote("cat /proc/cmdline", safe=""), text=cat_proc_cmdline)
         session_mock.post(run_url + urllib.parse.quote("findfs LABEL=Mock", safe=""), text="/dev/mock_fs")
-        session_mock.post(run_url + urllib.parse.quote("mkdir {}".format(directory_created), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"mkdir {directory_created}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("mount {} {}".format("/dev/mock_fs", directory_created), safe=""), text=""
         )
         session_mock.post(
-            run_url + urllib.parse.quote("cat {}/etc/hostname".format(directory_created), safe=""),
+            run_url + urllib.parse.quote(f"cat {directory_created}/etc/hostname", safe=""),
             text="Permission denied",
         )
 
@@ -699,18 +697,18 @@ def test_maliciousintentviasecurekubeletport_success():
         run_url = url + "run/kube-hunter-privileged/kube-hunter-privileged-deployment-86dc79f945-sjjps/ubuntu?cmd="
         directory_created = "/kube-hunter-mock_" + str(uuid.uuid1())
         file_name = "kube-hunter-mock" + str(uuid.uuid1())
-        file_name_with_path = "{}/etc/cron.daily/{}".format(directory_created, file_name)
+        file_name_with_path = f"{directory_created}/etc/cron.daily/{file_name}"
 
         session_mock.post(run_url + urllib.parse.quote("cat /proc/cmdline", safe=""), text=cat_proc_cmdline)
         session_mock.post(run_url + urllib.parse.quote("findfs LABEL=Mock", safe=""), text="/dev/mock_fs")
-        session_mock.post(run_url + urllib.parse.quote("mkdir {}".format(directory_created), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"mkdir {directory_created}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("mount {} {}".format("/dev/mock_fs", directory_created), safe=""), text=""
         )
         session_mock.post(
-            run_url + urllib.parse.quote("cat {}/etc/hostname".format(directory_created), safe=""), text="mockhostname"
+            run_url + urllib.parse.quote(f"cat {directory_created}/etc/hostname", safe=""), text="mockhostname"
         )
-        session_mock.post(run_url + urllib.parse.quote("touch {}".format(file_name_with_path), safe=""), text="")
+        session_mock.post(run_url + urllib.parse.quote(f"touch {file_name_with_path}", safe=""), text="")
         session_mock.post(
             run_url + urllib.parse.quote("chmod {} {}".format("755", file_name_with_path), safe=""), text=""
         )