Comments (3)
@oriagmon thoughts? You seem to be the author of this test.
from kube-hunter.
I think the way we should approach this is that kube-hunter explores what information is available from various endpoints, and shows that to the user. It is really up to the user to decide whether this is a risk or not. As an example, the CIS benchmark has long recommended turning off anonymous-auth access altogether on the API server, although many considered this overkill as it prevented anonymous access to health endpoints. One person's vulnerability is another person's useful functionality.
from kube-hunter.
Thanks for the reply @lizrice . That makes total sense.
The way the information is presented to the user though, is a little scary [0].
It is not clear that this is only discovery information that can help create
an attack, an attack though might not be possible.
[0]
Vulnerabilities
+----------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+----------------------+----------------------+----------------------+----------------------+----------------------+
| xxxxxxxx-xxxxxxxxxxx | Remote Code | Access to server API | Accessing the | {"kind":"APIVersions |
| xxxxxxxxxx:6443 | Execution | | server API within a | ","versions":["v1"], |
| | | | compromised pod | ... |
| | | | would help an | |
| | | | attacker gain full | |
| | | | control over the | |
| | | | cluster | |
+----------------------+----------------------+----------------------+----------------------+----------------------+
[1]
$ kubectl describe clusterrole system:basic-user
Name: system:basic-user
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
$ kubectl describe clusterrole system:discovery
Name: system:discovery
Labels: kubernetes.io/bootstrapping=rbac-defaults
Annotations: rbac.authorization.kubernetes.io/autoupdate=true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
[/api] [] [get]
[/api/*] [] [get]
[/apis] [] [get]
[/apis/*] [] [get]
[/healthz] [] [get]
[/openapi] [] [get]
[/openapi/*] [] [get]
[/swagger-2.0.0.pb-v1] [] [get]
[/swagger.json] [] [get]
[/swaggerapi] [] [get]
[/swaggerapi/*] [] [get]
[/version] [] [get]
[/version/] [] [get]
from kube-hunter.
Related Issues (20)
- Kube-hunter vulnerability scanner Algorithm?
- Kube hunter fails when testing Rancher cluster.
- netifaces needs a maintainer HOT 1
- Number of vulnerabilities shows up as zero even when there is a vulnerability.
- Dispatch fails by sending unprocessable entity 422
- With release: "error while loading shared libraries: libz.so.1: failed to map segment from shared object" HOT 2
- Please provide more information about running `kube-hunter` with a `ServiceAccount` for remote access (if it is possible) and describe more of the kube-hunter API (e.g. what arguments can be passed when starting a job)
- Kube hunter is not working as expected when using --kubeconfig
- The URL in ReadMe is invalid.
- How to get version of kube-hunter HOT 1
- The correct number of nodes in the k8s cluster cannot be listed.
- Kube-hunter report viewer not available?
- Add flag to hide sensitive data in results output
- Severity mismatch for KHV002 vulnerability HOT 1
- The opnfv/functest-kubernetes-security:v1.23 using kube_hunter test suite is not applicable on K8S cluster where strict PSP defined
- faulty kubectl verification
- build binary from source code HOT 1
- Enhanced logging for kube-hunter
- packaging issue: deployment of tests HOT 1
- Proposal: RBAC and Network Policy Misconfiguration
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-hunter.