Make gateway discovery always run when running as pod #471

* added service account token flag to use in hunting

* added flag to main parsing config creation

* fixed linting issues

* added documentation on the service-account-token flag

* minor readme change

README.md

@@ -27,21 +27,27 @@ kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was d
 Table of Contents
 =================
 
-* [Hunting](#hunting)
-   * [Where should I run kube-hunter?](#where-should-i-run-kube-hunter)
-   * [Scanning options](#scanning-options)
-   * [Active Hunting](#active-hunting)
-   * [List of tests](#list-of-tests)
-   * [Nodes Mapping](#nodes-mapping)
-   * [Output](#output)
-   * [Dispatching](#dispatching)
-   * [Advanced Usage](#advanced-usage)
-* [Deployment](#deployment)
-   * [On Machine](#on-machine)
-      * [Prerequisites](#prerequisites)
-   * [Container](#container)
-   * [Pod](#pod)
-* [Contribution](#contribution)
+- [Table of Contents](#table-of-contents)
+  - [Hunting](#hunting)
+    - [Where should I run kube-hunter?](#where-should-i-run-kube-hunter)
+    - [Scanning options](#scanning-options)
+    - [Authentication](#authentication)
+    - [Active Hunting](#active-hunting)
+    - [List of tests](#list-of-tests)
+    - [Nodes Mapping](#nodes-mapping)
+    - [Output](#output)
+    - [Dispatching](#dispatching)
+    - [Advanced Usage](#advanced-usage)
+      - [Azure Quick Scanning](#azure-quick-scanning)
+  - [Deployment](#deployment)
+    - [On Machine](#on-machine)
+      - [Prerequisites](#prerequisites)
+        - [Install with pip](#install-with-pip)
+        - [Run from source](#run-from-source)
+    - [Container](#container)
+    - [Pod](#pod)
+  - [Contribution](#contribution)
+  - [License](#license)
          
 ## Hunting
 
@@ -53,7 +59,7 @@ Run kube-hunter on any machine (including your laptop), select Remote scanning a
 
 You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.
 
-You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example).
+You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example). (_`--pod` flag_)
 
 ### Scanning options
 
@@ -76,6 +82,26 @@ To specify interface scanning, you can use the `--interface` option (this will s
 To specify a specific CIDR to scan, use the `--cidr` option. Example:
 `kube-hunter --cidr 192.168.0.0/24`
 
+4. **Kubernetes node auto-discovery**
+
+Set `--k8s-auto-discover-nodes` flag to query Kubernetes for all nodes in the cluster, and then attempt to scan them all. By default, it will use [in-cluster config](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to connect to the Kubernetes API. If you'd like to use an explicit kubeconfig file, set `--kubeconfig /location/of/kubeconfig/file`.
+
+Also note, that this is always done when using `--pod` mode.
+
+### Authentication
+In order to mimic an attacker in it's early stages, kube-hunter requires no authentication for the hunt. 
+
+* **Impersonate** - You can provide kube-hunter with a specific service account token to use when hunting by manually passing the JWT Bearer token of the service-account secret with the `--service-account-token` flag. 
+
+   Example:
+   ```bash
+   $ kube-hunter --active --service-account-token eyJhbGciOiJSUzI1Ni...
+   ```
+
+* When runing with `--pod` flag, kube-hunter uses the service account token [mounted inside the pod](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) to authenticate to services it finds during the hunt.
+  * if specified, `--service-account-token` flag takes priority when running as a pod
+
+
 ### Active Hunting
 
 Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, to explore for further vulnerabilities.

docs/Gemfile.lock

@@ -197,9 +197,9 @@ GEM
       html-pipeline (~> 2.2)
       jekyll (>= 3.0, < 5.0)
     kramdown (2.3.0)
-      rexml
+      rexml (>= 3.2.5)
     kramdown-parser-gfm (1.1.0)
-      kramdown (~> 2.0)
+      kramdown (>= 2.3.1)
     liquid (4.0.3)
     listen (3.4.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
@@ -212,7 +212,7 @@ GEM
       jekyll-seo-tag (~> 2.1)
     minitest (5.14.3)
     multipart-post (2.1.1)
-    nokogiri (1.11.1)
+    nokogiri (>= 1.11.4)
       mini_portile2 (~> 2.5.0)
       racc (~> 1.4)
     octokit (4.20.0)

kube_hunter/__main__.py

@@ -25,6 +25,9 @@ config = Config(
     quick=args.quick,
     remote=args.remote,
     statistics=args.statistics,
+    k8s_auto_discover_nodes=args.k8s_auto_discover_nodes,
+    service_account_token=args.service_account_token,
+    kubeconfig=args.kubeconfig,
 )
 setup_logger(args.log, args.log_file)
 set_config(config)
@@ -88,7 +91,7 @@ hunt_started = False
 
 def main():
     global hunt_started
-    scan_options = [config.pod, config.cidr, config.remote, config.interface]
+    scan_options = [config.pod, config.cidr, config.remote, config.interface, config.k8s_auto_discover_nodes]
     try:
         if args.list:
             list_hunters()

kube_hunter/conf/__init__.py

@@ -36,6 +36,9 @@ class Config:
     remote: Optional[str] = None
     reporter: Optional[Any] = None
     statistics: bool = False
+    k8s_auto_discover_nodes: bool = False
+    service_account_token: Optional[str] = None
+    kubeconfig: Optional[str] = None
 
 
 _config: Optional[Config] = None

kube_hunter/conf/parser.py

@@ -46,6 +46,34 @@ def parser_add_arguments(parser):
         help="One or more remote ip/dns to hunt",
     )
 
+    parser.add_argument(
+        "--k8s-auto-discover-nodes",
+        action="store_true",
+        help="Enables automatic detection of all nodes in a Kubernetes cluster "
+        "by quering the Kubernetes API server. "
+        "It supports both in-cluster config (when running as a pod), "
+        "and a specific kubectl config file (use --kubeconfig to set this). "
+        "By default, when this flag is set, it will use in-cluster config. "
+        "NOTE: this is automatically switched on in --pod mode.",
+    )
+
+    parser.add_argument(
+        "--service-account-token",
+        type=str,
+        metavar="JWT_TOKEN",
+        help="Manually specify the service account jwt token to use for authenticating in the hunting process "
+        "NOTE: This overrides the loading of the pod's bounded authentication when running in --pod mode",
+    )
+
+    parser.add_argument(
+        "--kubeconfig",
+        type=str,
+        metavar="KUBECONFIG",
+        default=None,
+        help="Specify the kubeconfig file to use for Kubernetes nodes auto discovery "
+        " (to be used in conjuction with the --k8s-auto-discover-nodes flag.",
+    )
+
     parser.add_argument("--active", action="store_true", help="Enables active hunting")
 
     parser.add_argument(

kube_hunter/core/events/types.py

@@ -83,6 +83,12 @@ class Service:
         self.path = path
         self.role = "Node"
 
+        # if a service account token was specified, we load it to the Service class
+        # We load it here because generally all kuberentes services could be authenticated with the token
+        config = get_config()
+        if config.service_account_token:
+            self.auth_token = config.service_account_token
+
     def get_name(self):
         return self.name
 

kube_hunter/modules/discovery/hosts.py

@@ -8,6 +8,7 @@ from netaddr import IPNetwork, IPAddress, AddrFormatError
 from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
+from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
 from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Event, NewHostEvent, Vulnerability
 from kube_hunter.core.types import Discovery, InformationDisclosure, AWS, Azure
@@ -18,11 +19,17 @@ logger = logging.getLogger(__name__)
 class RunningAsPodEvent(Event):
     def __init__(self):
         self.name = "Running from within a pod"
-        self.auth_token = self.get_service_account_file("token")
         self.client_cert = self.get_service_account_file("ca.crt")
         self.namespace = self.get_service_account_file("namespace")
         self.kubeservicehost = os.environ.get("KUBERNETES_SERVICE_HOST", None)
 
+        # if service account token was manually specified, we don't load the token file
+        config = get_config()
+        if config.service_account_token:
+            self.auth_token = config.service_account_token
+        else:
+            self.auth_token = self.get_service_account_file("token")
+
     # Event's logical location to be used mainly for reports.
     def location(self):
         location = "Local to Pod"
@@ -114,20 +121,23 @@ class FromPodHostDiscovery(Discovery):
 
     def execute(self):
         config = get_config()
+        # Attempt to read all hosts from the Kubernetes API
+        for host in list_all_k8s_cluster_nodes(config.kubeconfig):
+            self.publish_event(NewHostEvent(host=host))
         # Scan any hosts that the user specified
         if config.remote or config.cidr:
             self.publish_event(HostScanEvent())
         else:
             # Discover cluster subnets, we'll scan all these hosts
-            cloud = None
+            cloud, subnets = None, list()
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
             elif self.is_aws_pod_v1():
                 subnets, cloud = self.aws_metadata_v1_discovery()
             elif self.is_aws_pod_v2():
                 subnets, cloud = self.aws_metadata_v2_discovery()
-            else:
-                subnets = self.gateway_discovery()
+
+            subnets += self.gateway_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -211,19 +221,27 @@ class FromPodHostDiscovery(Discovery):
             "http://169.254.169.254/latest/meta-data/mac",
             timeout=config.network_timeout,
         ).text
+        logger.debug(f"Extracted mac from aws's metadata v1: {mac_address}")
+
         cidr = requests.get(
             f"http://169.254.169.254/latest/meta-data/network/interfaces/macs/{mac_address}/subnet-ipv4-cidr-block",
             timeout=config.network_timeout,
-        ).text.split("/")
+        ).text
+        logger.debug(f"Trying to extract cidr from aws's metadata v1: {cidr}")
 
-        address, subnet = (cidr[0], cidr[1])
-        subnet = subnet if not config.quick else "24"
-        cidr = f"{address}/{subnet}"
-        logger.debug(f"From pod discovered subnet {cidr}")
+        try:
+            cidr = cidr.split("/")
+            address, subnet = (cidr[0], cidr[1])
+            subnet = subnet if not config.quick else "24"
+            cidr = f"{address}/{subnet}"
+            logger.debug(f"From pod discovered subnet {cidr}")
 
-        self.publish_event(AWSMetadataApi(cidr=cidr))
+            self.publish_event(AWSMetadataApi(cidr=cidr))
+            return [(address, subnet)], "AWS"
+        except Exception as x:
+            logger.debug(f"ERROR: could not parse cidr from aws metadata api: {cidr} - {x}")
 
-        return [(address, subnet)], "AWS"
+        return [], "AWS"
 
     # querying AWS's interface metadata api v2 | works only from a pod
     def aws_metadata_v2_discovery(self):
@@ -245,14 +263,19 @@ class FromPodHostDiscovery(Discovery):
             timeout=config.network_timeout,
         ).text.split("/")
 
-        address, subnet = (cidr[0], cidr[1])
-        subnet = subnet if not config.quick else "24"
-        cidr = f"{address}/{subnet}"
-        logger.debug(f"From pod discovered subnet {cidr}")
+        try:
+            address, subnet = (cidr[0], cidr[1])
+            subnet = subnet if not config.quick else "24"
+            cidr = f"{address}/{subnet}"
+            logger.debug(f"From pod discovered subnet {cidr}")
 
-        self.publish_event(AWSMetadataApi(cidr=cidr))
+            self.publish_event(AWSMetadataApi(cidr=cidr))
 
-        return [(address, subnet)], "AWS"
+            return [(address, subnet)], "AWS"
+        except Exception as x:
+            logger.debug(f"ERROR: could not parse cidr from aws metadata api: {cidr} - {x}")
+
+        return [], "AWS"
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):
@@ -298,6 +321,9 @@ class HostDiscovery(Discovery):
         elif len(config.remote) > 0:
             for host in config.remote:
                 self.publish_event(NewHostEvent(host=host))
+        elif config.k8s_auto_discover_nodes:
+            for host in list_all_k8s_cluster_nodes(config.kubeconfig):
+                self.publish_event(NewHostEvent(host=host))
 
     # for normal scanning
     def scan_interfaces(self):

kube_hunter/modules/discovery/kubernetes_client.py

@@ -0,0 +1,27 @@
+import logging
+import kubernetes
+
+
+def list_all_k8s_cluster_nodes(kube_config=None, client=None):
+    logger = logging.getLogger(__name__)
+    try:
+        if kube_config:
+            logger.debug("Attempting to use kubeconfig file: %s", kube_config)
+            kubernetes.config.load_kube_config(config_file=kube_config)
+        else:
+            logger.debug("Attempting to use in cluster Kubernetes config")
+            kubernetes.config.load_incluster_config()
+    except kubernetes.config.config_exception.ConfigException as ex:
+        logger.debug(f"Failed to initiate Kubernetes client: {ex}")
+        return
+
+    try:
+        if client is None:
+            client = kubernetes.client.CoreV1Api()
+        ret = client.list_node(watch=False)
+        logger.info("Listed %d nodes in the cluster" % len(ret.items))
+        for item in ret.items:
+            for addr in item.status.addresses:
+                yield addr.address
+    except Exception as ex:
+        logger.debug(f"Failed to list nodes from Kubernetes: {ex}")

kube_hunter/modules/hunting/mounts.py

@@ -77,15 +77,17 @@ class VarLogMountHunter(Hunter):
             self.publish_event(WriteMountToVarLog(pods=pe_pods))
 
 
-@handler.subscribe(ExposedRunHandler)
+@handler.subscribe_many([ExposedRunHandler, WriteMountToVarLog])
 class ProveVarLogMount(ActiveHunter):
     """Prove /var/log Mount Hunter
     Tries to read /etc/shadow on the host by running commands inside a pod with host mount to /var/log
     """
 
     def __init__(self, event):
-        self.event = event
-        self.base_path = f"https://{self.event.host}:{self.event.port}"
+        self.write_mount_event = self.event.get_by_class(WriteMountToVarLog)
+        self.event = self.write_mount_event
+
+        self.base_path = f"https://{self.write_mount_event.host}:{self.write_mount_event.port}"
 
     def run(self, command, container):
         run_url = KubeletHandlers.RUN.value.format(
@@ -96,20 +98,6 @@ class ProveVarLogMount(ActiveHunter):
         )
         return self.event.session.post(f"{self.base_path}/{run_url}", verify=False).text
 
-    # TODO: replace with multiple subscription to WriteMountToVarLog as well
-    def get_varlog_mounters(self):
-        config = get_config()
-        logger.debug("accessing /pods manually on ProveVarLogMount")
-        pods = self.event.session.get(
-            f"{self.base_path}/" + KubeletHandlers.PODS.value,
-            verify=False,
-            timeout=config.network_timeout,
-        ).json()["items"]
-        for pod in pods:
-            volume = VarLogMountHunter(ExposedPodsHandler(pods=pods)).has_write_mount_to(pod, "/var/log")
-            if volume:
-                yield pod, volume
-
     def mount_path_from_mountname(self, pod, mount_name):
         """returns container name, and container mount path correlated to mount_name"""
         for container in pod["spec"]["containers"]:
@@ -138,7 +126,7 @@ class ProveVarLogMount(ActiveHunter):
         return content
 
     def execute(self):
-        for pod, volume in self.get_varlog_mounters():
+        for pod, volume in self.write_mount_event.pe_pods():
             for container, mount_path in self.mount_path_from_mountname(pod, volume["name"]):
                 logger.debug("Correlated container to mount_name")
                 cont = {

setup.cfg

@@ -41,6 +41,7 @@ install_requires =
     packaging
     dataclasses
     pluggy
+    kubernetes==12.0.1
 setup_requires =
     setuptools>=30.3.0
     setuptools_scm

tests/discovery/test_k8s.py

@@ -0,0 +1,30 @@
+from kube_hunter.conf import Config, set_config
+
+from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
+from unittest.mock import MagicMock, patch
+
+set_config(Config())
+
+
+def test_client_yields_ips():
+    client = MagicMock()
+    response = MagicMock()
+    client.list_node.return_value = response
+    response.items = [MagicMock(), MagicMock()]
+    response.items[0].status.addresses = [MagicMock(), MagicMock()]
+    response.items[0].status.addresses[0].address = "127.0.0.1"
+    response.items[0].status.addresses[1].address = "127.0.0.2"
+    response.items[1].status.addresses = [MagicMock()]
+    response.items[1].status.addresses[0].address = "127.0.0.3"
+
+    with patch("kubernetes.config.load_incluster_config") as m:
+        output = list(list_all_k8s_cluster_nodes(client=client))
+        m.assert_called_once()
+
+    assert output == ["127.0.0.1", "127.0.0.2", "127.0.0.3"]
+
+
+def test_client_uses_kubeconfig():
+    with patch("kubernetes.config.load_kube_config") as m:
+        list(list_all_k8s_cluster_nodes(kube_config="/location", client=MagicMock()))
+        m.assert_called_once_with(config_file="/location")