aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters

Apache License 2.0

4.66k stars 579 forks source link

Add discovery hunter for AWS metadata #447

Closed mccormickt closed 3 years ago

mccormickt commented 3 years ago

Description

Adds a discovery hunter to identify access to the AWS metadata service. Has checks for both version 1 and 2 (session based) of the service.

Contribution Guidelines

Please Read through the Contribution Guidelines.

Fixed Issues

Partially fixes #45 by providing a hunter that identifies access to the AWS instance metadata service versions 1 & 2.

"BEFORE" and "AFTER" output

BEFORE

$ kubectl apply -f job.yaml
$ kubectl logs job/kube-hunter | grep -v INFO | jq -r '.vulnerabilities | .[] | .vulnerability,.vid'
Read access to pod's service account token
KHV050
Access to pod's secrets
None
CAP_NET_RAW Enabled
None
Access to API using service account token
KHV005
K8s Version Disclosure
KHV002

AFTER

$ kubectl apply -f job.yaml
$ kubectl logs job/kube-hunter | grep -v INFO | jq -r '.vulnerabilities | .[] | select(.vid=="KHV053")'
{
  "location": "Local to Pod (kube-hunter-9qfnr)",
  "vid": "KHV053",
  "category": "Information Disclosure",
  "severity": "medium",
  "vulnerability": "AWS Metadata Exposure",
  "description": "Access to the AWS Metadata API exposes information about the machines associated with the cluster",
  "evidence": "cidr: 192.168.0.0/19",
  "avd_reference": "https://avd.aquasec.com/kube-hunter/khv053/",
  "hunter": "Host Discovery when running as pod"
}

Contribution checklist

[x] I have read the Contributing Guidelines.
[x] The commits refer to an active issue in the repository.
[x] I have added automated testing to cover this case.

codecov[bot] commented 3 years ago

Codecov Report

Merging #447 (7bf6d5e) into main (1a26653) will decrease coverage by 0.75%. The diff coverage is 39.13%.

@@            Coverage Diff             @@
##             main     #447      +/-   ##
==========================================
- Coverage   63.67%   62.92%   -0.76%     
==========================================
  Files          42       42              
  Lines        2296     2341      +45     
==========================================
+ Hits         1462     1473      +11     
- Misses        834      868      +34

Impacted Files	Coverage Δ
kube_hunter/modules/discovery/hosts.py	`55.95% <36.36%> (-7.25%)`	:arrow_down:
kube_hunter/core/types.py	`82.97% <100.00%> (+0.75%)`	:arrow_up:
kube_hunter/modules/hunting/apiserver.py	`70.41% <0.00%> (-1.93%)`	:arrow_down:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 1a26653...7bf6d5e. Read the comment docs.

mccormickt commented 3 years ago

Updated the discovery functions and the README to reflect the --quick option for AWS metadata as well.