Packaging Kube-Hunter for PyPi

[vipulgupta2048]

Signed-off-by: Vipul Gupta (@vipulgupta2048) vipulgupta2048@gmail.com

Description

PR to solve issue #185, package the Kube-Hunter project, upload it to PyPi and make it viable for it to be installed through pip for our users, on all platforms. Right now, it has been deployed to TestPyPi here https://test.pypi.org/project/kube-hunter/0.1.0/ Can share the credentials with the maintainers if you wish to get access.

Things to work out

• ~Making Kube-Hunter work as a pip package.~
• ~Verify sample metadata filled in setup.py and get that approved.~

I would recommend going the CLI way with Kube-Hunter, where users can use the command for example for active hunting with kube-hunter --remote some.domain.com --active That way, we won't need to do a lot of changes and it's quite easier for users to learn and take up. Let me know what you think folks?

Contribution Guidelines

Yes, I read them :heavy_check_mark:

Fixed Issues

185

[vipulgupta2048]

Please add scripts/console_scripts so a user can use kube-hunter command when installing the package

To be clear, do you mean to create a CLI for kube-hunter and store the scripts in scripts/console_scripts or something else?

[iyehuda]

Hi @vipulgupta2048

In addition to making kube-hunter command available when installing it, there are couple more details I would like to add:

• Use setup.cfg as much as possible to reduce code in setup.py
• Use setuptools_scm for versioning
• We might need to change the directory structure by renaming src dir to kube_hunter, and by that, making the code importable by external modules (instead of import src which is bad name by itself)
• I would like to merge this PR so pytest can be run without current runtest.py wrapper. That way, we can integrate tox and trigger tests in a good manner. This one is not a hard prerequisite for for this PR

I wish to make a progress with this issue and implement some of these by myself if necessary.

[vipulgupta2048]

Hi @iYehuda, the changes suggested look splendid. I had a bit of work that I was completing this month. I apologize for not following up sooner than later. Regarding the last bit, should I give you access to the fork if that's fine or how would you like this to play out?

[iyehuda]

Hi @vipulgupta2048 , Sorry for the delay. Yes, granting me push permissions to your fork would help. I do recommend you doing that in general.

[codecov-io]

Codecov Report

Merging #272 into master will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##           master     #272   +/-   ##
=======================================
  Coverage   59.85%   59.85%           
=======================================
  Files          39       39           
  Lines        1928     1928           
=======================================
  Hits         1154     1154           
  Misses        774      774

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update a4a8c71...30de4ba. Read the comment docs.

[vipulgupta2048]

Hello, @iYehuda Thanks for making the changes. Went through them. I see we are preparing for the transition so that nothing breaks. I also Argparse being used to parse command-line options for the CLI. Correct me if I am wrong here. I had some work and this has been delayed for almost too long. Please let me know if I can do anything to finish this up.

[vipulgupta2048]

Hey @iYehuda, I have updated the PR and uploaded the new package on TestPyPi. The setuptools_scm was giving a bit of trouble on local testing so you might see that version numbers are a mess. But, it won't be a problem with the production/master branch. Reference

Here's the log for installation. I will be testing it on my end as well. Maintainers can give the package a spin by installing the package from this command.

pip install -i https://test.pypi.org/simple/ kube-hunter==0.1.dev613

TestPypi - https://test.pypi.org/project/kube-hunter/0.1.dev613/` Also, I will be happy to other folks on TestPyPi as collaborators if they like to tweak things. Let me know! Thanks,

➜  kube-hunter git:(packing-kube-hunter) ✗ 
pip install -i https://test.pypi.org/simple/ kube-hunter==0.1.dev613
Looking in indexes: https://test.pypi.org/simple/
Collecting kube-hunter==0.1.dev613
  Using cached https://test-files.pythonhosted.org/packages/83/d2/0e7260b934f3587a5d76cffb49e8e28a1f2d85fcf1d2597fe5278925e240/kube_hunter-0.1.dev613-py3-none-any.whl
Requirement already satisfied: future in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (0.18.2)
Requirement already satisfied: requests in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (2.22.0)
Requirement already satisfied: requests-mock in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (1.7.0)
Requirement already satisfied: netaddr in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (0.7.19)
Requirement already satisfied: netifaces in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (0.10.9)
Requirement already satisfied: ruamel.yaml in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (0.16.5)
Requirement already satisfied: PrettyTable in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (0.7.2)
Requirement already satisfied: urllib3<1.25,>=1.24.2 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (1.24.3)
Requirement already satisfied: scapy>=2.4.3 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (2.4.3)
Requirement already satisfied: packaging in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from kube-hunter==0.1.dev613) (19.2)
Requirement already satisfied: certifi>=2017.4.17 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from requests->kube-hunter==0.1.dev613) (2019.9.11)
Requirement already satisfied: idna<2.9,>=2.5 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from requests->kube-hunter==0.1.dev613) (2.8)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from requests->kube-hunter==0.1.dev613) (3.0.4)
Requirement already satisfied: six in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from requests-mock->kube-hunter==0.1.dev613) (1.12.0)
Requirement already satisfied: ruamel.yaml.clib>=0.1.2; platform_python_implementation == "CPython" and python_version < "3.8" in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from ruamel.yaml->kube-hunter==0.1.dev613) (0.2.0)
Requirement already satisfied: pyparsing>=2.0.2 in /home/vipulgupta2048/.virtualenvs/kube/lib/python3.6/site-packages (from packaging->kube-hunter==0.1.dev613) (2.4.2)
Installing collected packages: kube-hunter
Successfully installed kube-hunter-0.1.dev613
➜  kube-hunter git:(packing-kube-hunter) ✗ kube-hunter --help
usage: kube-hunter [-h] [--list] [--interface] [--pod] [--quick]
                   [--include-patched-versions] [--cidr CIDR] [--mapping]
                   [--remote HOST [HOST ...]] [--active] [--log LOGLEVEL]
                   [--report REPORT] [--dispatch DISPATCH] [--statistics]

Kube-Hunter - hunts for security weaknesses in Kubernetes clusters

optional arguments:
  -h, --help            show this help message and exit
  --list                displays all tests in kubehunter (add --active flag to
                        see active tests)
  --interface           set hunting of all network interfaces
  --pod                 set hunter as an insider pod
  --quick               Prefer quick scan (subnet 24)
  --include-patched-versions
                        Don't skip patched versions when scanning
  --cidr CIDR           set an ip range to scan, example: 192.168.0.0/16
  --mapping             outputs only a mapping of the cluster's nodes
  --remote HOST [HOST ...]
                        one or more remote ip/dns to hunt
  --active              enables active hunting
  --log LOGLEVEL        set log level, options are: debug, info, warn, none
  --report REPORT       set report type, options are: plain, yaml, json
  --dispatch DISPATCH   where to send the report to, options are: stdout, http
                        (set KUBEHUNTER_HTTP_DISPATCH_URL and
                        KUBEHUNTER_HTTP_DISPATCH_METHOD environment variables
                        to configure)
  --statistics          set hunting statistics

[iyehuda]

I replaced deleted the merge commits and rebased instead

[vipulgupta2048]

LGTM @iYehuda

[iyehuda]

Hi and thanks for this PR. I'm a worried about the renaming of kube-hunter.py to __main__.py. I understand that the latter is more python idiomatic, but it's a disruptive change that we should consider more carefully. Existing integration points use the previous name, notably docker and kubernetes. And there are other integrations outside the scope of this repo that would break. Also, since this is a breaking change we should be clear about the justification for it in an issue (so we can later bump major version). I'm not saying we shouldn't rename, I'm just saying we should split that into another PR so that this PR can be merged quickly.

This change will indeed break the current usage of kube-hunter. We can overcome this by making a symlink from kube-hunter.py to kube_hunter/__main__.py. WDUT? @itaysk As for bump version, as long as wer'e on beta we can still make breaking changes. Once wer'e after 1.x major versions bumping will be made when backwards compatibility is not preserved.

[vipulgupta2048]

Symlinking the file actually is a pretty good way to get around the issue. Good thinking @iYehuda