Kubernetes Job yml manifest changes

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters

Apache License 2.0

4.7k stars 581 forks source link

Kubernetes Job yml manifest changes #366

Closed ssathyaji closed 3 years ago

ssathyaji commented 3 years ago

What happened

When we deploy job.yml for kubernetes cluster we are facing kube-hunter.py file not found error. Need to change the job.yml file changes.

Expected behavior

Please use the followin yml file for kubernetes cluster.

apiVersion: batch/v1 kind: Job metadata: name: kube-hunter spec: template: spec: containers:

name: kube-hunter image: aquasec/kube-hunter command: ["kube-hunter"] args: ["--pod"] restartPolicy: Never backoffLimit: 4

brathina-spectro commented 3 years ago

I ran into this too with Pod deployment.

Job manifest Used

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-hunter
spec:
  template:
    spec:
      containers:
      - name: kube-hunter
        image: aquasec/kube-hunter 
        command: ["python", "kube-hunter.py"]
        args: ["--pod"]
      restartPolicy: Never
  backoffLimit: 4

Error seen with pods scheduled

$ kubectl logs kube-hunter-2m5xb
python: can't open file 'kube-hunter.py': [Errno 2] No such file or directory

ramakuka commented 3 years ago

It's probably a dirty hack, but it worked as a simple workaround until the bug will get fixed I replaced kube-hunber.py on the command to /usr/local/bin/kube-hunter and it fixed the problem

so the Job manifest

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-hunter
spec:
  template:
    spec:
      containers:
      - name: kube-hunter
        image: aquasec/kube-hunter 
        command: ["python", "/usr/local/bin/kube-hunter"]
        args: ["--pod"]
      restartPolicy: Never
  backoffLimit: 4

magnologan commented 3 years ago

Had the same issue here and @ramakuka's new Job manifest suggestion worked fine here! You can probably submit this as the fix. Cheers!

ssathyaji commented 3 years ago

When we consider the docker file we have to use as I added in the job.yml file. Thanks Mgno for checking this.

On Thu, Sep 3, 2020 at 12:24 AM Magno Logan notifications@github.com wrote:

Had the same issue here and @ramakuka https://github.com/ramakuka's new Job manifest suggestion worked fine here! You can probably submit this as the fix. Cheers!

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aquasecurity/kube-hunter/issues/366#issuecomment-685932137, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJNXG6YERGUOIUEMR5TPCJLSD2IFPANCNFSM4QJHPTSQ .

lizrice commented 3 years ago

Should be fixed by #367

brathina-spectro commented 3 years ago

@lizrice @danielsagi job.yaml documented stopped working only recently. I understand #367 will work, but is that the right fix ?

itaysk commented 3 years ago

@brathina-spectro can you please provide more info? what version of KH, how do you run it, what is the error you are getting? thanks

ssathyaji commented 3 years ago

@brathina-spectro https://github.com/brathina-spectro . Yes this is the correct fix. I was able to work with this fix without an issue. Pls provide more info.

Sanka Sathyaji

On Fri, Sep 4, 2020 at 2:23 AM brathina-spectro notifications@github.com wrote:

@lizrice https://github.com/lizrice @danielsagi https://github.com/danielsagi job.yaml documented stopped working only recently. I understand #367 https://github.com/aquasecurity/kube-hunter/pull/367 will work, but is that the right fix ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aquasecurity/kube-hunter/issues/366#issuecomment-686758976, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJNXG62GZGYV4NMHV66SV7DSD7625ANCNFSM4QJHPTSQ .