Merge branch 'master' into fix_audit_log_proving

.github/PULL_REQUEST_TEMPLATE.md

@@ -7,7 +7,7 @@
 Please include a summary of the change and which issue is fixed. Also include relevant motivation and context. List any dependencies that are required for this change.
 
 ## Contribution Guidelines
-Please Read through the [Contribution Guidelines](https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md).
+Please Read through the [Contribution Guidelines](https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md).
 
 ## Fixed Issues
 

.github/workflows/greetings.yml

@@ -0,0 +1,14 @@
+name: Greetings
+
+on: [pull_request, issues]
+
+jobs:
+  greeting:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/first-interaction@v1
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        issue-message: "Hola! @${{ github.actor }} 🥳 , You've just created an Issue!🌟 Thanks for making the Project Better"
+        pr-message: 'Submitted a PR already ?? @${{ github.actor }} . Sit tight until one of our amazing maintainers review it. Make sure you read the contributing guide'
+ 

.github/workflows/lint.yml

@@ -1,14 +0,0 @@
----
-name: Lint
-
-on: [push, pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0
-      - uses: ibiqlik/action-yamllint@v3

.github/workflows/publish.yml

@@ -1,65 +0,0 @@
----
-name: Publish
-on:
-  push:
-    tags:
-      - "v*"
-env:
-  ALIAS: aquasecurity
-  REP: kube-hunter
-jobs:
-  publish:
-    name: Publish
-    runs-on: ubuntu-18.04
-    steps:
-      - name: Check Out Repo
-        uses: actions/checkout@v2
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildxarch-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildxarch-
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to ECR
-        uses: docker/login-action@v1
-        with:
-          registry: public.ecr.aws
-          username: ${{ secrets.ECR_ACCESS_KEY_ID }}
-          password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
-      - name: Get version
-        id: get_version
-        uses: crazy-max/ghaction-docker-meta@v1
-        with:
-          images: ${{ env.REP }}
-          tag-semver: |
-            {{version}}
-
-      - name: Build and push - Docker/ECR
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64
-          builder: ${{ steps.buildx.outputs.name }}
-          push: true
-          tags: |
-            ${{ secrets.DOCKERHUB_USER }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
-            public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:${{ steps.get_version.outputs.version }}
-            ${{ secrets.DOCKERHUB_USER }}/${{ env.REP }}:latest
-            public.ecr.aws/${{ env.ALIAS }}/${{ env.REP }}:latest
-          cache-from: type=local,src=/tmp/.buildx-cache/release
-          cache-to: type=local,mode=max,dest=/tmp/.buildx-cache/release
-
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}

.github/workflows/release.yml

@@ -1,53 +0,0 @@
----
-on:
-  push:
-    # Sequence of patterns matched against refs/tags
-    tags:
-      - 'v*'  # Push events to matching v*, i.e. v1.0, v20.15.10
-
-name: Release
-
-jobs:
-  build:
-    name: Upload Release Asset
-    runs-on: ubuntu-16.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Set up Python
-        uses: actions/setup-python@v2
-        with:
-          python-version: '3.9'
-
-      - name: Install dependencies
-        run: |
-          python -m pip install -U pip
-          python -m pip install -r requirements-dev.txt
-
-      - name: Build project
-        shell: bash
-        run: |
-          make pyinstaller
-
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name: ${{ github.ref }}
-          release_name: ${{ github.ref }}
-          draft: false
-          prerelease: false
-
-      - name: Upload Release Asset
-        id: upload-release-asset
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/kube-hunter
-          asset_name: kube-hunter-linux-x86_64-${{ github.ref }}
-          asset_content_type: application/octet-stream

.github/workflows/test.yml

@@ -1,55 +0,0 @@
----
-name: Test
-
-on: [push, pull_request]
-
-env:
-  FORCE_COLOR: 1
-
-jobs:
-  build:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9"]
-        os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04]
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Get pip cache dir
-        id: pip-cache
-        run: |
-          echo "::set-output name=dir::$(pip cache dir)"
-
-      - name: Cache
-        uses: actions/cache@v2
-        with:
-          path: ${{ steps.pip-cache.outputs.dir }}
-          key:
-            ${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
-          restore-keys: |
-            ${{ matrix.os }}-${{ matrix.python-version }}-
-
-      - name: Install dependencies
-        run: |
-          python -m pip install -U pip
-          python -m pip install -U wheel
-          python -m pip install -r requirements.txt
-          python -m pip install -r requirements-dev.txt
-
-      - name: Test
-        shell: bash
-        run: |
-          make test
-
-      - name: Upload coverage
-        uses: codecov/codecov-action@v1
-        with:
-          name: ${{ matrix.os }} Python ${{ matrix.python-version }}

.pre-commit-config.yaml

@@ -1,11 +1,10 @@
----
 repos:
-  - repo: https://github.com/psf/black
-    rev: stable
-    hooks:
-      - id: black
-  - repo: https://gitlab.com/pycqa/flake8
-    rev: 3.7.9
-    hooks:
-      - id: flake8
-        additional_dependencies: [flake8-bugbear]
+- repo: https://github.com/psf/black
+  rev: stable
+  hooks:
+  - id: black
+- repo: https://gitlab.com/pycqa/flake8
+  rev: 3.7.9
+  hooks:
+    - id: flake8
+      additional_dependencies: [flake8-bugbear]

.travis.yml

@@ -0,0 +1,21 @@
+group: travis_latest
+language: python
+cache: pip
+python:
+    - "3.6"
+    - "3.7"
+    - "3.8"
+    - "3.9"
+install:
+  - pip install -r requirements.txt
+  - pip install -r requirements-dev.txt
+before_script:
+  - make lint-check
+script:
+  - make test
+after_success:
+  -  bash <(curl -s https://codecov.io/bash)
+notifications:
+  email:
+    on_success: change
+    on_failure: always

.yamllint

@@ -1,6 +0,0 @@
----
-extends: default
-
-rules:
-  line-length: disable
-  truthy: disable

README.md

@@ -1,18 +1,12 @@
-![kube-hunter](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter.png)
+![kube-hunter](https://github.com/aquasecurity/kube-hunter/blob/master/kube-hunter.png)
 
-[![GitHub Release][release-img]][release]
-![Downloads][download]
-![Docker Pulls][docker-pull]
-[![Build Status](https://github.com/aquasecurity/kube-hunter/workflows/Test/badge.svg)](https://github.com/aquasecurity/kube-hunter/actions)
-[![codecov](https://codecov.io/gh/aquasecurity/kube-hunter/branch/main/graph/badge.svg)](https://codecov.io/gh/aquasecurity/kube-hunter)
+[![Build Status](https://travis-ci.org/aquasecurity/kube-hunter.svg?branch=master)](https://travis-ci.org/aquasecurity/kube-hunter)
+[![codecov](https://codecov.io/gh/aquasecurity/kube-hunter/branch/master/graph/badge.svg)](https://codecov.io/gh/aquasecurity/kube-hunter)
 [![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
-[![License](https://img.shields.io/github/license/aquasecurity/kube-hunter)](https://github.com/aquasecurity/kube-hunter/blob/main/LICENSE)
+[![License](https://img.shields.io/github/license/aquasecurity/kube-hunter)](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE)
 [![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-hunter.svg)](https://microbadger.com/images/aquasec/kube-hunter "Get your own image badge on microbadger.com")
 
-[download]: https://img.shields.io/github/downloads/aquasecurity/kube-hunter/total?logo=github
-[release-img]: https://img.shields.io/github/release/aquasecurity/kube-hunter.svg?logo=github
-[release]: https://github.com/aquasecurity/kube-hunter/releases
-[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-hunter?logo=docker&label=docker%20pulls%20%2F%20kube-hunter
+
 
 kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. **You should NOT run kube-hunter on a Kubernetes cluster that you don't own!**
 
@@ -20,9 +14,9 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
 
 **Explore vulnerabilities**: The kube-hunter knowledge base includes articles about discoverable vulnerabilities and issues. When kube-hunter reports an issue, it will show its VID (Vulnerability ID) so you can look it up in the KB at https://aquasecurity.github.io/kube-hunter/
 
-**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md).
+**Contribute**: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read [Guidelines For Developing Your First kube-hunter Module](https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md).
 
-[![kube-hunter demo video](https://github.com/aquasecurity/kube-hunter/blob/main/kube-hunter-screenshot.png)](https://youtu.be/s2-6rTkH8a8?t=57s)
+[![kube-hunter demo video](https://github.com/aquasecurity/kube-hunter/blob/master/kube-hunter-screenshot.png)](https://youtu.be/s2-6rTkH8a8?t=57s)
 
 Table of Contents
 =================
@@ -182,7 +176,7 @@ The example `job.yaml` file defines a Job that will run kube-hunter in a pod, us
 * View the test results with `kubectl logs <pod name>`
 
 ## Contribution 
-To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/main/CONTRIBUTING.md"> Click here </a>
+To read the contribution guidelines, <a href="https://github.com/aquasecurity/kube-hunter/blob/master/CONTRIBUTING.md"> Click here </a>
 
 ## License
-This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/main/LICENSE).
+This repository is available under the [Apache License 2.0](https://github.com/aquasecurity/kube-hunter/blob/master/LICENSE).

SECURITY.md

@@ -1,17 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-| Version   | Supported          |
-| --------- | ------------------ |
-| 0.4.x | :white_check_mark: |
-| 0.3.x   | :white_check_mark: |
-
-## Reporting a Vulnerability
-We encourage you to find vulnerabilities in kube-hunter.
-The process is simple, just report a Bug issue. and we will take a look at this.
-If you prefer to disclose privately, you can write to one of the security maintainers at:
-
-| Name        | Email              |
-| ----------- | ------------------ |
-| Daniel Sagi | daniel.sagi@aquasec.com |

docs/Gemfile.lock

@@ -67,7 +67,7 @@ GEM
       jekyll-theme-time-machine (= 0.1.1)
       jekyll-titles-from-headings (= 0.5.1)
       jemoji (= 0.10.2)
-      kramdown (>= 2.3.0)
+      kramdown (= 1.17.0)
       liquid (= 4.0.0)
       listen (= 3.1.5)
       mercenary (~> 0.3)

docs/_config.yml

@@ -1,7 +1,6 @@
----
 title: kube-hunter
 description: Kube-hunter hunts for security weaknesses in Kubernetes clusters
-logo: https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/kube-hunter.png
+logo: https://raw.githubusercontent.com/aquasecurity/kube-hunter/master/kube-hunter.png
 show_downloads: false
 google_analytics: UA-63272154-1
 theme: jekyll-theme-minimal
@@ -11,7 +10,7 @@ collections:
 defaults:
   -
     scope:
-      path: ""  # an empty string here means all files in the project
+      path: "" # an empty string here means all files in the project
     values:
       layout: "default"
 

job.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -7,9 +6,9 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-hunter
-          image: aquasec/kube-hunter
-          command: ["kube-hunter"]
-          args: ["--pod"]
+      - name: kube-hunter
+        image: aquasec/kube-hunter 
+        command: ["kube-hunter"]
+        args: ["--pod"]
       restartPolicy: Never
   backoffLimit: 4

kube_hunter/modules/discovery/hosts.py

@@ -5,7 +5,8 @@ import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces, gateways
+from netifaces import AF_INET, ifaddresses, interfaces
+from scapy.all import ICMP, IP, Ether, srp1
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.events import handler
@@ -108,7 +109,7 @@ class FromPodHostDiscovery(Discovery):
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
             else:
-                subnets = self.gateway_discovery()
+                subnets = self.traceroute_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -140,9 +141,14 @@ class FromPodHostDiscovery(Discovery):
             return False
 
     # for pod scanning
-    def gateway_discovery(self):
-        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
-        return [[gateways()["default"][AF_INET][0], "24"]]
+    def traceroute_discovery(self):
+        config = get_config()
+        node_internal_ip = srp1(
+            Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(),
+            verbose=0,
+            timeout=config.network_timeout,
+        )[IP].src
+        return [[node_internal_ip, "24"]]
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

kube_hunter/modules/hunting/aks.py

@@ -1,10 +1,9 @@
-import os
 import json
 import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler, SecureKubeletPortHunter
+from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
 from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ActiveHunter, IdentityTheft, Azure
@@ -15,7 +14,7 @@ logger = logging.getLogger(__name__)
 class AzureSpnExposure(Vulnerability, Event):
     """The SPN is exposed, potentially allowing an attacker to gain access to the Azure subscription"""
 
-    def __init__(self, container, evidence=""):
+    def __init__(self, container):
         Vulnerability.__init__(
             self,
             Azure,
@@ -24,10 +23,9 @@ class AzureSpnExposure(Vulnerability, Event):
             vid="KHV004",
         )
         self.container = container
-        self.evidence = evidence
 
 
-@handler.subscribe(ExposedPodsHandler, predicate=lambda x: x.cloud_type == "Azure")
+@handler.subscribe(ExposedRunHandler, predicate=lambda x: x.cloud == "Azure")
 class AzureSpnHunter(Hunter):
     """AKS Hunting
     Hunting Azure cluster deployments using specific known configurations
@@ -39,33 +37,35 @@ class AzureSpnHunter(Hunter):
 
     # getting a container that has access to the azure.json file
     def get_key_container(self):
+        config = get_config()
+        endpoint = f"{self.base_url}/pods"
         logger.debug("Trying to find container with access to azure.json file")
-
-        # pods are saved in the previous event object
-        pods_data = self.event.pods
-
-        suspicious_volume_names = []
-        for pod_data in pods_data:
-            for volume in pod_data["spec"].get("volumes", []):
-                if volume.get("hostPath"):
-                    path = volume["hostPath"]["path"]
-                    if "/etc/kubernetes/azure.json".startswith(path):
-                        suspicious_volume_names.append(volume["name"])
-            for container in pod_data["spec"]["containers"]:
-                for mount in container.get("volumeMounts", []):
-                    if mount["name"] in suspicious_volume_names:
-                        return {
-                            "name": container["name"],
-                            "pod": pod_data["metadata"]["name"],
-                            "namespace": pod_data["metadata"]["namespace"],
-                            "mount": mount,
-                        }
+        try:
+            r = requests.get(endpoint, verify=False, timeout=config.network_timeout)
+        except requests.Timeout:
+            logger.debug("failed getting pod info")
+        else:
+            pods_data = r.json().get("items", [])
+            suspicious_volume_names = []
+            for pod_data in pods_data:
+                for volume in pod_data["spec"].get("volumes", []):
+                    if volume.get("hostPath"):
+                        path = volume["hostPath"]["path"]
+                        if "/etc/kubernetes/azure.json".startswith(path):
+                            suspicious_volume_names.append(volume["name"])
+                for container in pod_data["spec"]["containers"]:
+                    for mount in container.get("volumeMounts", []):
+                        if mount["name"] in suspicious_volume_names:
+                            return {
+                                "name": container["name"],
+                                "pod": pod_data["metadata"]["name"],
+                                "namespace": pod_data["metadata"]["namespace"],
+                            }
 
     def execute(self):
         container = self.get_key_container()
         if container:
-            evidence = f"pod: {container['pod']}, namespace: {container['namespace']}"
-            self.publish_event(AzureSpnExposure(container=container, evidence=evidence))
+            self.publish_event(AzureSpnExposure(container=container))
 
 
 @handler.subscribe(AzureSpnExposure)
@@ -78,42 +78,14 @@ class ProveAzureSpnExposure(ActiveHunter):
         self.event = event
         self.base_url = f"https://{self.event.host}:{self.event.port}"
 
-    def test_run_capability(self):
-        """
-        Uses SecureKubeletPortHunter to test the /run handler
-        TODO: when multiple event subscription is implemented, use this here to make sure /run is accessible
-        """
-        debug_handlers = SecureKubeletPortHunter.DebugHandlers(path=self.base_url, session=self.event.session, pod=None)
-        return debug_handlers.test_run_container()
-
     def run(self, command, container):
         config = get_config()
-        run_url = f"{self.base_url}/run/{container['namespace']}/{container['pod']}/{container['name']}"
-        return self.event.session.post(run_url, verify=False, params={"cmd": command}, timeout=config.network_timeout)
-
-    def get_full_path_to_azure_file(self):
-        """
-        Returns a full path to /etc/kubernetes/azure.json
-        Taking into consideration the difference folder of the mount inside the container.
-        TODO: implement the edge case where the mount is to parent /etc folder.
-        """
-        azure_file_path = self.event.container["mount"]["mountPath"]
-
-        # taking care of cases where a subPath is added to map the specific file
-        if not azure_file_path.endswith("azure.json"):
-            azure_file_path = os.path.join(azure_file_path, "azure.json")
-
-        return azure_file_path
+        run_url = "/".join(self.base_url, "run", container["namespace"], container["pod"], container["name"])
+        return requests.post(run_url, verify=False, params={"cmd": command}, timeout=config.network_timeout)
 
     def execute(self):
-        if not self.test_run_capability():
-            logger.debug("Not proving AzureSpnExposure because /run debug handler is disabled")
-            return
-
         try:
-            azure_file_path = self.get_full_path_to_azure_file()
-            logger.debug(f"trying to access the azure.json at the resolved path: {azure_file_path}")
-            subscription = self.run(f"cat {azure_file_path}", container=self.event.container).json()
+            subscription = self.run("cat /etc/kubernetes/azure.json", container=self.event.container).json()
         except requests.Timeout:
             logger.debug("failed to run command in container", exc_info=True)
         except json.decoder.JSONDecodeError:

kube_hunter/modules/hunting/apiserver.py

@@ -56,19 +56,16 @@ class ServerApiHTTPAccess(Vulnerability, Event):
 
 
 class ApiInfoDisclosure(Vulnerability, Event):
-    """Information Disclosure depending upon RBAC permissions and Kube-Cluster Setup"""
-
     def __init__(self, evidence, using_token, name):
-        category = InformationDisclosure
         if using_token:
-            name += " using default service account token"
+            name += " using service account token"
         else:
             name += " as anonymous user"
         Vulnerability.__init__(
             self,
             KubernetesCluster,
             name=name,
-            category=category,
+            category=InformationDisclosure,
             vid="KHV007",
         )
         self.evidence = evidence

kube_hunter/modules/hunting/certificates.py

@@ -8,13 +8,11 @@ from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)
-email_pattern = re.compile(rb"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)")
+email_pattern = re.compile(rb"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
 
 
 class CertificateEmail(Vulnerability, Event):
-    """The Kubernetes API Server advertises a public certificate for TLS.
-    This certificate includes an email address, that may provide additional information for an attacker on your
-    organization, or be abused for further email based attacks."""
+    """Certificate includes an email address"""
 
     def __init__(self, email):
         Vulnerability.__init__(

kube_hunter/modules/hunting/kubelet.py

@@ -344,23 +344,27 @@ class SecureKubeletPortHunter(Hunter):
 
         # need further investigation on websockets protocol for further implementation
         def test_port_forward(self):
-            pass
+            config = get_config()
+            headers = {
+                "Upgrade": "websocket",
+                "Connection": "Upgrade",
+                "Sec-Websocket-Key": "s",
+                "Sec-Websocket-Version": "13",
+                "Sec-Websocket-Protocol": "SPDY",
+            }
+            pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
+                pod_namespace=self.pod["namespace"],
+                pod_id=self.pod["name"],
+                port=80,
+            )
+            self.session.get(
+                pf_url,
+                headers=headers,
+                verify=False,
+                stream=True,
+                timeout=config.network_timeout,
+            ).status_code == 200
             # TODO: what to return?
-            # Example starting code:
-            #
-            # config = get_config()
-            # headers = {
-            #     "Upgrade": "websocket",
-            #     "Connection": "Upgrade",
-            #     "Sec-Websocket-Key": "s",
-            #     "Sec-Websocket-Version": "13",
-            #     "Sec-Websocket-Protocol": "SPDY",
-            # }
-            # pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
-            #     pod_namespace=self.pod["namespace"],
-            #     pod_id=self.pod["name"],
-            #     port=80,
-            # )
 
         # executes one command and returns output
         def test_run_container(self):
@@ -371,9 +375,8 @@ class SecureKubeletPortHunter(Hunter):
                 container_name="test",
                 cmd="",
             )
-            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
-            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
-            return status_code == requests.codes.NOT_FOUND
+            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
+            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
 
         # returns list of currently running pods
         def test_running_pods(self):

pyinstaller_hooks/hook-prettytable.py

@@ -1,3 +0,0 @@
-from PyInstaller.utils.hooks import collect_all
-
-datas, binaries, hiddenimports = collect_all("prettytable")

setup.py

@@ -41,8 +41,6 @@ class PyInstallerCommand(Command):
         cfg.read("setup.cfg")
         command = [
             "pyinstaller",
-            "--additional-hooks-dir",
-            "pyinstaller_hooks",
             "--clean",
             "--onefile",
             "--name",

tests/hunting/test_aks.py

@@ -3,47 +3,54 @@ import requests_mock
 
 from kube_hunter.conf import Config, set_config
 
-import json
-
 set_config(Config())
 
-from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler
+from kube_hunter.modules.hunting.kubelet import ExposedRunHandler
 from kube_hunter.modules.hunting.aks import AzureSpnHunter
 
 
 def test_AzureSpnHunter():
-    e = ExposedPodsHandler(pods=[])
+    e = ExposedRunHandler()
+    e.host = "mockKubernetes"
+    e.port = 443
+    e.protocol = "https"
+
     pod_template = '{{"items":[ {{"apiVersion":"v1","kind":"Pod","metadata":{{"name":"etc","namespace":"default"}},"spec":{{"containers":[{{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{{"mountPath":"/mp","name":"v"}}]}}],"volumes":[{{"hostPath":{{"path":"{}"}},"name":"v"}}]}}}} ]}}'
 
     bad_paths = ["/", "/etc", "/etc/", "/etc/kubernetes", "/etc/kubernetes/azure.json"]
     good_paths = ["/yo", "/etc/yo", "/etc/kubernetes/yo.json"]
 
     for p in bad_paths:
-        e.pods = json.loads(pod_template.format(p))["items"]
-        h = AzureSpnHunter(e)
-        c = h.get_key_container()
-        assert c
+        with requests_mock.Mocker() as m:
+            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
+            h = AzureSpnHunter(e)
+            c = h.get_key_container()
+            assert c
 
     for p in good_paths:
-        e.pods = json.loads(pod_template.format(p))["items"]
+        with requests_mock.Mocker() as m:
+            m.get("https://mockKubernetes:443/pods", text=pod_template.format(p))
+            h = AzureSpnHunter(e)
+            c = h.get_key_container()
+            assert c == None
+
+    with requests_mock.Mocker() as m:
+        pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_no_volume_mounts)
         h = AzureSpnHunter(e)
         c = h.get_key_container()
         assert c == None
 
-    pod_no_volume_mounts = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}],"volumes":[{"hostPath":{"path":"/whatever"},"name":"v"}]}} ]}'
-    e.pods = json.loads(pod_no_volume_mounts)["items"]
-    h = AzureSpnHunter(e)
-    c = h.get_key_container()
-    assert c == None
+    with requests_mock.Mocker() as m:
+        pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_no_volumes)
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c == None
 
-    pod_no_volumes = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test"}]}} ]}'
-    e.pods = json.loads(pod_no_volumes)["items"]
-    h = AzureSpnHunter(e)
-    c = h.get_key_container()
-    assert c == None
-
-    pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
-    e.pods = json.loads(pod_other_volume)["items"]
-    h = AzureSpnHunter(e)
-    c = h.get_key_container()
-    assert c == None
+    with requests_mock.Mocker() as m:
+        pod_other_volume = '{"items":[ {"apiVersion":"v1","kind":"Pod","metadata":{"name":"etc","namespace":"default"},"spec":{"containers":[{"command":["sleep","99999"],"image":"ubuntu","name":"test","volumeMounts":[{"mountPath":"/mp","name":"v"}]}],"volumes":[{"emptyDir":{},"name":"v"}]}} ]}'
+        m.get("https://mockKubernetes:443/pods", text=pod_other_volume)
+        h = AzureSpnHunter(e)
+        c = h.get_key_container()
+        assert c == None