aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters

Apache License 2.0

4.72k stars 581 forks source link

Support ignoring IPs #297

Closed dustin-decker closed 4 years ago

dustin-decker commented 4 years ago

Signed-off-by: Dustin Decker dustin.decker@getcruise.com

Closes #296

Description

Added support for ignoring IPs that are enumerated from a CIDR range with a --ignore flag.

Contribution Guidelines

Please Read through the Contribution Guidelines.

Fixed Issues

Fixes #296

"BEFORE" and "AFTER" output

To verify that the change works as desired, please include an output of terminal before and after the changes under headings "BEFORE" and "AFTER".

BEFORE

Any Terminal Output Before Changes.

AFTER

python3 kube-hunter.py --cidr 10.20.111.105/32 --ignore 10.20.111.105
Kube Hunter couldn't find any clusters

Contribution checklist

[x] I have read the Contributing Guidelines.
[x] The commits refer to an active issue in the repository.
[] I have added automated testing to cover this case.

Notes

I did not add any tests for this feature.

codecov-io commented 4 years ago

Codecov Report

Merging #297 into master will increase coverage by 0.01%. The diff coverage is 75%.

@@            Coverage Diff             @@
##           master     #297      +/-   ##
==========================================
+ Coverage   59.85%   59.86%   +0.01%     
==========================================
  Files          39       39              
  Lines        1928     1931       +3     
==========================================
+ Hits         1154     1156       +2     
- Misses        774      775       +1

Impacted Files	Coverage Δ
kube_hunter/conf/__init__.py	`100% <100%> (ø)`	:arrow_up:
kube_hunter/modules/discovery/hosts.py	`70.22% <50%> (-0.32%)`	:arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update a4a8c71...482bbe6. Read the comment docs.

iyehuda commented 4 years ago

Hi @dustin-decker !

First, Thanks for your contribution!

I understand the use case of here and I find it beneficial, although I have some implementation comments/suggestions:

Use set operations to pre-define a target IP set instead of checking for excluded IP for each address
Argument parsing should be placed in conf package (#289 )
By supplying multiple CIDR parameters we can scan multiple subnets, e.g, --cidr 10.0.10.0/24,10.0.20.0/24
I think it would be better to have CIDR target as a single parameter, e.g., --cidr 10.0.0.0/16,!10.0.10.0/24 to exclude 10.0.10.0/24.
We can use glob as being supported by netaddr package, e.g, --cidr 10.0.0.0,!10.0.*.0 to exclude addresses that end with .0

iyehuda commented 4 years ago

Hi @dustin-decker !

Got any comments/progress \w this? I can assist if you wish.

iyehuda commented 4 years ago

Closing in favor of #332