search

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Apache License 2.0
4.66k stars 578 forks source link

Pod mode cannot find subnets in AWS EKS #452

Closed dbernues closed 3 years ago

dbernues commented 3 years ago

What happened

I tried to run kube-hunter in pod mode using the job in kube-hunter/job.yaml but the end result is always that "Kube Hunter couldn't find any clusters" and the only vulnerabilities it can find are those local to the pod where kube-hunter is running.

I thought at first this had to do with pod permissions, but after running kube-hunter with --log debug I saw an error having to do with how subnets are discovered. This is the error:

2021-05-04 14:25:04,064 DEBUG kube_hunter.modules.discovery.hosts From pod discovered subnet 172.35.0.0/22
2021-05-04 14:25:04,065 DEBUG kube_hunter.core.events.handler Event <class 'kube_hunter.modules.discovery.hosts.AWSMetadataApi'> got published with <kube_hunter.modules.discovery.hosts.AWSMetadataApi object at 0x7fb45e13bfd0>
2021-05-04 14:25:04,065 DEBUG kube_hunter.core.events.handler not enough values to unpack (expected 2, got 1)
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/kube_hunter/core/events/handler.py", line 137, in worker
    hook.execute()
  File "/usr/local/lib/python3.8/site-packages/kube_hunter/modules/discovery/hosts.py", line 135, in execute
    for ip, mask in subnets:
ValueError: not enough values to unpack (expected 2, got 1)

172.35.0.0/22 is where I have one of two worker nodes attached to my EKS cluster; the other is in a different subnet (172.35.8.0/22). If I run kube-hunter as a container in either worker node, there is no problem with finding the other.

Expected behavior

Kube-hunter should be able to reach and find the vulnerabilities of the pod it is running on as well as the others that are in the cluster.

danielsagi commented 3 years ago

Thanks for noticing! Thats a bug in our new feature for aws scanning in release v5.0.0

Currently you can run with tag v0.4.1. We will release a new release to fix this later this week 👍👍

dbernues commented 3 years ago

@danielsagi Thanks for the latest release! Will you also be updating the image on Docker?

danielsagi commented 3 years ago

We have github actions that should automatically publish everything. Ill take a look at why the release is not there..

danielsagi commented 3 years ago

@dbernues The new release v0.5.2 is on dockerhub :)