search

aquasecurity / kube-hunter

Hunt for security weaknesses in Kubernetes clusters
Apache License 2.0
4.65k stars 578 forks source link

False Positive in KHV036 #548

Open x64-latacora opened 5 months ago

x64-latacora commented 5 months ago

When the cluster returns 403 responses for unauthenticated requests, KHV036 shouldn't be triggered.

https://github.com/aquasecurity/kube-hunter/blob/7479aae9baed4bb137b4f8c80577ba978280ec60/kube_hunter/modules/discovery/kubelet.py#L63

KiranBodipi commented 5 months ago

kube-hunter producing incorrect result for KHV036 even though the authentication: anonymous: enabled is set to false in Kubelet configuration file. Please find the below screen shots for your reference. Screenshot from 2024-01-25 18-08-50 Screenshot from 2024-01-25 18-06-01

Expected Result: If authentication: anonymous: enabled is set to false in Kubelet configuration file, the check should not be failed. Actual Result: The check is being failed.