update manifest to 0.6.8 (#509)

* pin image version to job

* change docker tag format

* update semver GA

.github/workflows/publish.yml

@@ -39,7 +39,7 @@ jobs:
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Get version
         id: get_version
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v3
         with:
           images: ${{ env.REP }}
           tag-semver: |

job.yaml

@@ -5,11 +5,13 @@ metadata:
   name: kube-hunter
 spec:
   template:
+    metadata:
+      labels:
+        app: kube-hunter
     spec:
       containers:
         - name: kube-hunter
-          image: aquasec/kube-hunter
+          image: aquasec/kube-hunter:0.6.8
           command: ["kube-hunter"]
           args: ["--pod"]
       restartPolicy: Never
-  backoffLimit: 4

kube_hunter/README.md

@@ -76,7 +76,7 @@ in order to prevent circular dependency bug.
 Following the above example, let's figure out the imports:  
 ```python  
 from kube_hunter.core.types import Hunter  
-from kube_hunter.core.events import handler  
+from kube_hunter.core.events.event_handler import handler  
   
 from kube_hunter.core.events.types import OpenPortEvent  
   
@@ -206,7 +206,7 @@ __Make sure to return the event from the execute method, or the event will not g
  
 For example, if you don't want to hunt services found on a localhost IP, you can create the following module, in the `kube_hunter/modules/report/`
 ```python
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Service, EventFilterBase
 
 @handler.subscribe(Service)
@@ -222,7 +222,7 @@ That means other Hunters that are subscribed to this Service will not get trigge
 That opens up a wide variety of possible operations, as this not only can __filter out__ events, but you can actually __change event attributes__, for example:
 
 ```python
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.types import InformationDisclosure
 from kube_hunter.core.events.types import Vulnerability, EventFilterBase
 

kube_hunter/__main__.py

@@ -22,6 +22,7 @@ config = Config(
     log_file=args.log_file,
     mapping=args.mapping,
     network_timeout=args.network_timeout,
+    num_worker_threads=args.num_worker_threads,
     pod=args.pod,
     quick=args.quick,
     remote=args.remote,
@@ -38,7 +39,7 @@ set_config(config)
 # Running all other registered plugins before execution
 pm.hook.load_plugin(args=args)
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import HuntFinished, HuntStarted
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent, HostScanEvent
 from kube_hunter.modules.report import get_reporter, get_dispatcher

kube_hunter/conf/__init__.py

@@ -20,6 +20,7 @@ class Config:
     - log_file: Log File path
     - mapping: Report only found components
     - network_timeout: Timeout for network operations
+    - num_worker_threads: Add a flag --threads to change the default 800 thread count of the event handler
     - pod: From pod scanning mode
     - quick: Quick scanning mode
     - remote: Hosts to scan
@@ -36,6 +37,7 @@ class Config:
     log_file: Optional[str] = None
     mapping: bool = False
     network_timeout: float = 5.0
+    num_worker_threads: int = 800
     pod: bool = False
     quick: bool = False
     remote: Optional[str] = None

kube_hunter/conf/parser.py

@@ -133,6 +133,14 @@ def parser_add_arguments(parser):
 
     parser.add_argument("--network-timeout", type=float, default=5.0, help="network operations timeout")
 
+    parser.add_argument(
+        "--num-worker-threads",
+        type=int,
+        default=800,
+        help="In some environments the default thread count (800) can cause the process to crash. "
+        "In the case of a crash try lowering the thread count",
+    )
+
 
 def parse_args(add_args_hook):
     """

kube_hunter/core/events/__init__.py

@@ -1,3 +1,2 @@
 # flake8: noqa: E402
-from .handler import EventQueue, handler
 from . import types

kube_hunter/core/events/event_handler.py

@@ -366,4 +366,5 @@ class EventQueue(Queue):
             self.queue.clear()
 
 
-handler = EventQueue(800)
+config = get_config()
+handler = EventQueue(config.num_worker_threads)

kube_hunter/core/types/hunters.py

@@ -19,7 +19,7 @@ class HunterBase:
     def publish_event(self, event):
         # Import here to avoid circular import from events package.
         # imports are cached in python so this should not affect runtime
-        from ..events import handler  # noqa
+        from ..events.event_handler import handler  # noqa
 
         handler.publish_event(event, caller=self)
 

kube_hunter/modules/discovery/apiserver.py

@@ -2,7 +2,7 @@ import logging
 import requests
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import OpenPortEvent, Service, Event, EventFilterBase
 
 from kube_hunter.conf import get_config

kube_hunter/modules/discovery/dashboard.py

@@ -3,7 +3,7 @@ import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, OpenPortEvent, Service
 from kube_hunter.core.types import Discovery
 

kube_hunter/modules/discovery/etcd.py

@@ -1,4 +1,4 @@
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, OpenPortEvent, Service
 from kube_hunter.core.types import Discovery
 

kube_hunter/modules/discovery/hosts.py

@@ -9,7 +9,7 @@ from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, NewHostEvent, Vulnerability
 from kube_hunter.core.types import Discovery, AWS, Azure, InstanceMetadataApiTechnique
 

kube_hunter/modules/discovery/kubectl.py

@@ -2,7 +2,7 @@ import logging
 import subprocess
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import HuntStarted, Event
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/discovery/kubelet.py

@@ -5,7 +5,7 @@ from enum import Enum
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import OpenPortEvent, Event, Service
 
 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

kube_hunter/modules/discovery/ports.py

@@ -2,7 +2,7 @@ import logging
 from socket import socket
 
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import NewHostEvent, OpenPortEvent
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/discovery/proxy.py

@@ -3,7 +3,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Discovery
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Service, Event, OpenPortEvent
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/hunting/aks.py

@@ -5,7 +5,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.hunting.kubelet import ExposedPodsHandler, SecureKubeletPortHunter
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ActiveHunter, MountServicePrincipalTechnique, Azure
 

kube_hunter/modules/hunting/apiserver.py

@@ -5,7 +5,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.modules.discovery.apiserver import ApiServer
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, K8sVersionDisclosure
 from kube_hunter.core.types import Hunter, ActiveHunter, KubernetesCluster
 from kube_hunter.core.types.vulnerabilities import (

kube_hunter/modules/hunting/capabilities.py

@@ -2,7 +2,7 @@ import socket
 import logging
 
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import Hunter, ARPPoisoningTechnique, KubernetesCluster
 

kube_hunter/modules/hunting/certificates.py

@@ -4,7 +4,7 @@ import base64
 import re
 
 from kube_hunter.core.types import Hunter, KubernetesCluster, GeneralSensitiveInformationTechnique
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)

kube_hunter/modules/hunting/cves.py

@@ -2,7 +2,7 @@ import logging
 from packaging import version
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 from kube_hunter.core.events.types import K8sVersionDisclosure, Vulnerability, Event
 from kube_hunter.core.types import (

kube_hunter/modules/hunting/dashboard.py

@@ -4,7 +4,7 @@ import requests
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.types import Hunter, AccessK8sDashboardTechnique, KubernetesCluster
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event
 from kube_hunter.modules.discovery.dashboard import KubeDashboardEvent
 

kube_hunter/modules/hunting/etcd.py

@@ -2,7 +2,7 @@ import logging
 import requests
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, OpenPortEvent
 from kube_hunter.core.types import (
     ActiveHunter,

kube_hunter/modules/hunting/kubelet.py

@@ -9,7 +9,7 @@ import urllib3
 import uuid
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event, K8sVersionDisclosure
 from kube_hunter.core.types import (
     Hunter,

kube_hunter/modules/hunting/mounts.py

@@ -3,7 +3,7 @@ import re
 import uuid
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability
 from kube_hunter.core.types import ActiveHunter, Hunter, KubernetesCluster, HostPathMountPrivilegeEscalationTechnique
 from kube_hunter.modules.hunting.kubelet import (

kube_hunter/modules/hunting/proxy.py

@@ -4,7 +4,7 @@ import requests
 from enum import Enum
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Event, Vulnerability, K8sVersionDisclosure
 from kube_hunter.core.types import (
     ActiveHunter,

kube_hunter/modules/hunting/secrets.py

@@ -1,7 +1,7 @@
 import logging
 import os
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import Vulnerability, Event
 from kube_hunter.core.types import Hunter, KubernetesCluster, AccessContainerServiceAccountTechnique
 from kube_hunter.modules.discovery.hosts import RunningAsPodEvent

kube_hunter/modules/report/collector.py

@@ -2,7 +2,7 @@ import logging
 import threading
 
 from kube_hunter.conf import get_config
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import (
     Event,
     Service,

tests/core/test_cloud.py

@@ -1,11 +1,13 @@
+# flake8: noqa: E402
 import requests_mock
 import json
 
 from kube_hunter.conf import Config, set_config
-from kube_hunter.core.events.types import NewHostEvent
 
 set_config(Config())
 
+from kube_hunter.core.events.types import NewHostEvent
+
 
 def test_presetcloud():
     """Testing if it doesn't try to run get_cloud if the cloud type is already set.

tests/core/test_handler.py

@@ -4,7 +4,7 @@ from kube_hunter.conf import Config, set_config, get_config
 
 set_config(Config(active=True))
 
-from kube_hunter.core.events.handler import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.modules.discovery.apiserver import ApiServiceDiscovery
 from kube_hunter.modules.discovery.dashboard import KubeDashboard as KubeDashboardDiscovery
 from kube_hunter.modules.discovery.etcd import EtcdRemoteAccess as EtcdRemoteAccessDiscovery

tests/core/test_subscribe.py

@@ -3,7 +3,7 @@ import time
 from kube_hunter.conf import Config, set_config
 from kube_hunter.core.types import Hunter
 from kube_hunter.core.events.types import Event, Service
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 first_run = True

tests/discovery/test_apiserver.py

@@ -8,7 +8,7 @@ set_config(Config())
 
 from kube_hunter.modules.discovery.apiserver import ApiServer, ApiServiceDiscovery
 from kube_hunter.core.events.types import Event
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 

tests/discovery/test_hosts.py

@@ -6,7 +6,7 @@ from kube_hunter.modules.discovery.hosts import (
     HostDiscoveryHelpers,
 )
 from kube_hunter.core.types import Hunter
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 import json
 import requests_mock
 import pytest

tests/hunting/test_apiserver_hunter.py

@@ -23,7 +23,7 @@ from kube_hunter.modules.hunting.apiserver import ApiServerPassiveHunterFinished
 from kube_hunter.modules.hunting.apiserver import CreateANamespace, DeleteANamespace
 from kube_hunter.modules.discovery.apiserver import ApiServer
 from kube_hunter.core.types import ExposedSensitiveInterfacesTechnique, AccessK8sApiServerTechnique
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 counter = 0
 

tests/hunting/test_certificates.py

@@ -5,7 +5,7 @@ set_config(Config())
 
 from kube_hunter.core.events.types import Event
 from kube_hunter.modules.hunting.certificates import CertificateDiscovery, CertificateEmail
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 
 
 def test_CertificateDiscovery():

tests/hunting/test_cvehunting.py

@@ -5,7 +5,7 @@ from kube_hunter.conf import Config, set_config
 
 set_config(Config())
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.core.events.types import K8sVersionDisclosure
 from kube_hunter.modules.hunting.cves import (
     K8sClusterCveHunter,

tests/hunting/test_kubelet.py

@@ -3,7 +3,7 @@ import requests_mock
 import urllib.parse
 import uuid
 
-from kube_hunter.core.events import handler
+from kube_hunter.core.events.event_handler import handler
 from kube_hunter.modules.hunting.kubelet import (
     AnonymousAuthEnabled,
     ExposedExistingPrivilegedContainersViaSecureKubeletPort,