search

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Apache License 2.0
4.71k stars 581 forks source link

Azure Cloud Checks - Make Optional #107

Open goffinf opened 5 years ago

goffinf commented 5 years ago

I note that there is a check whether the cluster is deployed into Azure Cloud .. see below.

I don't have a problem with that per se except that in a corporate environment I don't want to request a proxy whitelist exception with my CISO for an endpoint that we have no use for (http://www.azurespeed.com). Moreover, whilst this test will eventually timeout and the checks resume, it delays the process by whatever our default timeout is (120 secs I think) which is not ideal.

Could you make this check optional using something like this ...

parser.add_argument('--azurechk', action="store_true", help="whether to check if the cluster is deployed on azure cloud - defaults to true")
...
class HostDiscoveryHelpers:
    @staticmethod
    def get_cloud(host):
        if config.azurechk:
            ...

Kind Regards

Fraser.

class HostDiscoveryHelpers:
    @staticmethod
    def get_cloud(host):
        if config.azurechk:
            try:
                logging.debug("Checking whether the cluster is deployed on azure's cloud")
                metadata = requests.get("http://www.azurespeed.com/api/region?ipOrUrl={ip}".format(ip=host)).text
            except requests.ConnectionError as e:
                logging.info("- unable to check cloud: {0}".format(e))
                return
        if "cloud" in metadata:
            return json.loads(metadata)["cloud"]
shubb30 commented 5 years ago

I would like to see this too. I can't have a security tool making calls to the outside.