2020-09-09 19:44:17,179 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+----------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+----------------------------------------------------------+ | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/0DNB79UAQ2GY/functest-kubernetes-pi- | | | ollivier-functest-kubernetes-security-hunter- | | | kube_hunter-run-16 | | S3_ENDPOINT_URL | https://storage.googleapis.com | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | BUILD_TAG | 0DNB79UAQ2GY | | DEBUG | true | | INSTALLER_TYPE | unknown | | CI_LOOP | daily | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/0DNB79UAQ2GY/functest-kubernetes-pi- | | | ollivier-functest-kubernetes-security-hunter- | | | kube_hunter-run-16 | | NODE_NAME | lf-virtual1-1 | +-------------------------+----------------------------------------------------------+ 2020-09-09 19:44:17,191 - xtesting.ci.run_tests - INFO - Loading test case 'kube_hunter'... 2020-09-09 19:44:17,388 - xtesting.ci.run_tests - INFO - Running test case 'kube_hunter'... 2020-09-09 19:44:17,449 - functest_kubernetes.security.security - INFO - Job kube-hunter created 2020-09-09 19:44:36,287 - functest_kubernetes.security.security - INFO - kube-hunter started in 18.90 sec 2020-09-09 19:44:36,307 - functest_kubernetes.security.security - WARNING - 2020-09-09 19:44:22,480 INFO kube_hunter.modules.report.collector Started hunting 2020-09-09 19:44:22,480 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-09-09 19:44:22,491 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-ppxvg) 2020-09-09 19:44:22,491 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-ppxvg) 2020-09-09 19:44:22,501 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-ppxvg) 2020-09-09 19:44:22,918 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-09-09 19:44:22,998 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 2020-09-09 19:44:23,004 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 2020-09-09 19:44:23,012 INFO kube_hunter.modules.report.collector Found vulnerability "Unauthenticated access to API" in 10.96.0.1:443 2020-09-09 19:44:23,028 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.1.1:10250 Nodes +-------------+------------+ | TYPE | LOCATION | +-------------+------------+ | Node/Master | 10.244.1.1 | +-------------+------------+ | Node/Master | 10.96.0.1 | +-------------+------------+ Detected Services +-------------+------------------+----------------------+ | SERVICE | LOCATION | DESCRIPTION | +-------------+------------------+----------------------+ | Kubelet API | 10.244.1.1:10250 | The Kubelet is the | | | | main component in | | | | every Node, all pod | | | | operations goes | | | | through the kubelet | +-------------+------------------+----------------------+ | API Server | 10.96.0.1:443 | The API server is in | | | | charge of all | | | | operations on the | | | | cluster. | +-------------+------------------+----------------------+ Vulnerabilities For further information about a vulnerability, search its ID in: https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | ID | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.96.0.1:443 | Unauthenticated | Unauthenticated | The API Server port | b'{"kind":"APIVersio | | | | Access | access to API | is accessible. | ns","versions":["v1" | | | | | | Depending on | ... | | | | | | your RBAC settings | | | | | | | this could expose | | | | | | | access to or control | | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.96.0.1:443 | Information | Access to API using | The API Server port | b'{"kind":"APIVersio | | | | Disclosure | service account | is accessible. | ns","versions":["v1" | | | | | token | Depending on | ... | | | | | | your RBAC settings | | | | | | | this could expose | | | | | | | access to or control | | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV002 | 10.96.0.1:443 | Information | K8s Version | The kubernetes | v1.13.12 | | | | Disclosure | Disclosure | version could be | | | | | | | obtained from the | | | | | | | /version endpoint | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | CAP_NET_RAW Enabled | CAP_NET_RAW is | | | | hunter-ppxvg) | | | enabled by default | | | | | | | for pods. | | | | | | | If an attacker | | | | | | | manages to | | | | | | | compromise a pod, | | | | | | | they could | | | | | | | potentially take | | | | | | | advantage of this | | | | | | | capability to | | | | | | | perform network | | | | | | | attacks on other | | | | | | | pods running on the | | | | | | | same node | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | Access to pod's | Accessing the pod's | ['/var/run/secrets/k | | | hunter-ppxvg) | | secrets | secrets within a | ubernetes.io/service | | | | | | compromised pod | ... | | | | | | might disclose | | | | | | | valuable data to a | | | | | | | potential attacker | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV050 | Local to Pod (kube- | Access Risk | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs | | | hunter-ppxvg) | | service account | service account | ImtpZCI6IiJ9.eyJpc3M | | | | | token | token gives an | ... | | | | | | attacker the option | | | | | | | to use the server | | | | | | | API | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ 2020-09-09 19:44:36,308 - xtesting.ci.run_tests - INFO - Test result: +---------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------+------------------+------------------+----------------+ | kube_hunter | functest | 00:18 | PASS | +---------------------+------------------+------------------+----------------+