2020-09-14 13:27:37,963 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | true | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 0HWFAGM3CM8Q | | NODE_NAME | lf-virtual1-5 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/0HWFAGM3CM8Q/functest-kubernetes-opnfv- | | | functest-kubernetes-security-latest-kube_hunter- | | | run-141 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/0HWFAGM3CM8Q/functest-kubernetes-opnfv- | | | functest-kubernetes-security-latest-kube_hunter- | | | run-141 | +-------------------------+------------------------------------------------------------+ 2020-09-14 13:27:37,990 - xtesting.ci.run_tests - INFO - Loading test case 'kube_hunter'... 2020-09-14 13:27:38,313 - xtesting.ci.run_tests - INFO - Running test case 'kube_hunter'... 2020-09-14 13:27:38,395 - functest_kubernetes.security.security - INFO - Job kube-hunter created 2020-09-14 13:28:00,968 - functest_kubernetes.security.security - INFO - kube-hunter started in 22.66 sec 2020-09-14 13:28:01,116 - functest_kubernetes.security.security - INFO - 2020-09-14 13:27:46,018 INFO kube_hunter.modules.report.collector Started hunting 2020-09-14 13:27:46,019 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-09-14 13:27:46,027 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-fxwmx) 2020-09-14 13:27:46,028 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-fxwmx) 2020-09-14 13:27:46,104 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-fxwmx) 2020-09-14 13:27:46,367 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.2.1:10250 2020-09-14 13:27:46,417 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-09-14 13:27:46,482 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 2020-09-14 13:27:46,502 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 {"nodes": [{"type": "Node/Master", "location": "10.244.2.1"}, {"type": "Node/Master", "location": "10.96.0.1"}], "services": [{"service": "Kubelet API", "location": "10.244.2.1:10250"}, {"service": "API Server", "location": "10.96.0.1:443"}], "vulnerabilities": [{"location": "Local to Pod (kube-hunter-fxwmx)", "vid": "KHV050", "category": "Access Risk", "severity": "low", "vulnerability": "Read access to pod's service account token", "description": " Accessing the pod service account token gives an attacker the option to use the server API ", "evidence": "eyJhbGciOiJSUzI1NiIsImtpZCI6Inc2TGhzNW9ScHZOTXJUVW8yU2JHYW02R0JuQXI1MUVUenFfX1c0Qm5wY0UifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJpbXMtczVndzciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC10b2tlbi04aHNndCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMDcwY2NlNTQtOThmMS00Y2M4LWE4ZmEtNGM4NjlmN2E0ZmFjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omltcy1zNWd3NzpkZWZhdWx0In0.dmCGGSHHmKkySNNSY7pg6N8wS47lPaGvNTy9ltW_NwgfckRSt0TteV4BfAZ1laiZCXUlt4WSYKtRchHsW9Y0mHfHhDqT2vx9bNIuXTMWitBPmCFB2SOKlbAJoHUs563GNud4i3dUxarbPARnCjMHI6N-fDngio9QX3hbT6BF04MBatAmj4NMjUWypNzkhii-mgXRDyJv-r7n6nJfk84W-hbtF5Zy3SU0FMLQfNTiJiHiP67KMHpbrqlZU9sR-HdtlOtmYFSwDv_qM0tIrWzSAHFnnZfgsCUZ7qzzdQOJR8TJzsRDRSvIjJEWs-JJhsK6XRPWSan1PechISWGdun_pg", "hunter": "Access Secrets"}, {"location": "Local to Pod (kube-hunter-fxwmx)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "CAP_NET_RAW Enabled", "description": "CAP_NET_RAW is enabled by default for pods.\n If an attacker manages to compromise a pod,\n they could potentially take advantage of this capability to perform network\n attacks on other pods running on the same node", "evidence": "", "hunter": "Pod Capabilities Hunter"}, {"location": "Local to Pod (kube-hunter-fxwmx)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "Access to pod's secrets", "description": " Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker", "evidence": "['/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_09_14_13_27_39.156562227/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_09_14_13_27_39.156562227/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_09_14_13_27_39.156562227/token']", "hunter": "Access Secrets"}, {"location": "10.96.0.1:443", "vid": "KHV002", "category": "Information Disclosure", "severity": "medium", "vulnerability": "K8s Version Disclosure", "description": "The kubernetes version could be obtained from the /version endpoint ", "evidence": "v1.19.0", "hunter": "Api Version Hunter"}, {"location": "10.96.0.1:443", "vid": "KHV005", "category": "Information Disclosure", "severity": "medium", "vulnerability": "Access to API using service account token", "description": "The API Server port is accessible.\n Depending on your RBAC settings this could expose access to or control of your cluster.", "evidence": "b'{\"kind\":\"APIVersions\",\"versions\":[\"v1\"],\"serverAddressByClientCIDRs\":[{\"clientCIDR\":\"0.0.0.0/0\",\"serverAddress\":\"172.18.0.14:6443\"}]}\\n'", "hunter": "API Server Hunter"}], "hunter_statistics": [{"name": "Kubelet Readonly Ports Hunter", "description": "Hunts specific endpoints on open ports in the readonly Kubelet server", "vulnerabilities": 0}, {"name": "Kubelet Secure Ports Hunter", "description": "Hunts specific endpoints on an open secured Kubelet", "vulnerabilities": 0}, {"name": "Kubelet Run Hunter", "description": "Executes uname inside of a random container", "vulnerabilities": 0}, {"name": "Kubelet Container Logs Hunter", "description": "Retrieves logs from a random container", "vulnerabilities": 0}, {"name": "Kubelet System Logs Hunter", "description": "Retrieves commands from host's system audit", "vulnerabilities": 0}, {"name": "AKS Hunting", "description": "Hunting Azure cluster deployments using specific known configurations", "vulnerabilities": 0}, {"name": "Azure SPN Hunter", "description": "Gets the azure subscription file on the host by executing inside a container", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Checks if API server is accessible", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Accessing the API server using the service account token obtained from a compromised pod", "vulnerabilities": 1}, {"name": "API server hunter", "description": "Accessing the api server might grant an attacker full control over the cluster", "vulnerabilities": 0}, {"name": "Api Version Hunter", "description": "Tries to obtain the Api Server's version directly from /version endpoint", "vulnerabilities": 2}, {"name": "Pod Capabilities Hunter", "description": "Checks for default enabled capabilities in a pod", "vulnerabilities": 2}, {"name": "Arp Spoof Hunter", "description": "Checks for the possibility of running an ARP spoof attack from within a pod (results are based on the running node)", "vulnerabilities": 0}, {"name": "Certificate Email Hunting", "description": "Checks for email addresses in kubernetes ssl certificates", "vulnerabilities": 0}, {"name": "K8s CVE Hunter", "description": "Checks if Node is running a Kubernetes version vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Kubectl CVE Hunter", "description": "Checks if the kubectl client is vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Dashboard Hunting", "description": "Hunts open Dashboards, gets the type of nodes in the cluster", "vulnerabilities": 0}, {"name": "DNS Spoof Hunter", "description": "Checks for the possibility for a malicious pod to compromise DNS requests of the cluster (results are based on the running node)", "vulnerabilities": 0}, {"name": "Etcd Remote Access", "description": "Checks for remote write access to etcd, will attempt to add a new key to the etcd DB", "vulnerabilities": 0}, {"name": "Etcd Remote Access", "description": "Checks for remote availability of etcd, its version, and read access to the DB", "vulnerabilities": 0}, {"name": "Mount Hunter - /var/log", "description": "Hunt pods that have write access to host's /var/log. in such case, the pod can traverse read files on the host machine", "vulnerabilities": 0}, {"name": "Prove /var/log Mount Hunter", "description": "Tries to read /etc/shadow on the host by running commands inside a pod with host mount to /var/log", "vulnerabilities": 0}, {"name": "Proxy Hunting", "description": "Hunts for a dashboard behind the proxy", "vulnerabilities": 0}, {"name": "Build Date Hunter", "description": "Hunts when proxy is exposed, extracts the build date of kubernetes", "vulnerabilities": 0}, {"name": "K8s Version Hunter", "description": "Hunts Proxy when exposed, extracts the version", "vulnerabilities": 0}, {"name": "Access Secrets", "description": "Accessing the secrets accessible to the pod", "vulnerabilities": 2}], "kburl": "https://aquasecurity.github.io/kube-hunter/kb/{vid}"} 2020-09-14 13:28:01,297 - functest_kubernetes.security.security - WARNING - Skipping Read access to pod's service account token (severity is configured as high) 2020-09-14 13:28:01,298 - functest_kubernetes.security.security - WARNING - Skipping CAP_NET_RAW Enabled (severity is configured as high) 2020-09-14 13:28:01,298 - functest_kubernetes.security.security - WARNING - Skipping Access to pod's secrets (severity is configured as high) 2020-09-14 13:28:01,298 - functest_kubernetes.security.security - WARNING - Skipping K8s Version Disclosure (severity is configured as high) 2020-09-14 13:28:01,299 - functest_kubernetes.security.security - WARNING - Skipping Access to API using service account token (severity is configured as high) 2020-09-14 13:28:01,302 - functest_kubernetes.security.security - WARNING - +--------------------------------+----------------------------------------------------+------------------+ | CATEGORY | VULNERABILITY | SEVERITY | +--------------------------------+----------------------------------------------------+------------------+ | Access Risk | Read access to pod's service account token | low | | Access Risk | CAP_NET_RAW Enabled | low | | Access Risk | Access to pod's secrets | low | | Information Disclosure | K8s Version Disclosure | medium | | Information Disclosure | Access to API using service account token | medium | +--------------------------------+----------------------------------------------------+------------------+ 2020-09-14 13:28:01,316 - functest_kubernetes.security.security - INFO - +---------------------------------------+------------------------------------------------------------+-------------------------+ | NAME | DESCRIPTION | VULNERABILITIES | +---------------------------------------+------------------------------------------------------------+-------------------------+ | Kubelet Readonly Ports Hunter | Hunts specific endpoints on open ports in the | 0 | | | readonly Kubelet server | | | Kubelet Secure Ports Hunter | Hunts specific endpoints on an open secured | 0 | | | Kubelet | | | Kubelet Run Hunter | Executes uname inside of a random container | 0 | | Kubelet Container Logs Hunter | Retrieves logs from a random container | 0 | | Kubelet System Logs Hunter | Retrieves commands from host's system audit | 0 | | AKS Hunting | Hunting Azure cluster deployments using specific | 0 | | | known configurations | | | Azure SPN Hunter | Gets the azure subscription file on the host by | 0 | | | executing inside a container | | | API Server Hunter | Checks if API server is accessible | 0 | | API Server Hunter | Accessing the API server using the service account | 1 | | | token obtained from a compromised pod | | | API server hunter | Accessing the api server might grant an attacker | 0 | | | full control over the cluster | | | Api Version Hunter | Tries to obtain the Api Server's version directly | 2 | | | from /version endpoint | | | Pod Capabilities Hunter | Checks for default enabled capabilities in a pod | 2 | | Arp Spoof Hunter | Checks for the possibility of running an ARP spoof | 0 | | | attack from within a pod (results are based on the | | | | running node) | | | Certificate Email Hunting | Checks for email addresses in kubernetes ssl | 0 | | | certificates | | | K8s CVE Hunter | Checks if Node is running a Kubernetes version | 0 | | | vulnerable to specific important CVEs | | | Kubectl CVE Hunter | Checks if the kubectl client is vulnerable to | 0 | | | specific important CVEs | | | Dashboard Hunting | Hunts open Dashboards, gets the type of nodes in | 0 | | | the cluster | | | DNS Spoof Hunter | Checks for the possibility for a malicious pod to | 0 | | | compromise DNS requests of the cluster (results | | | | are based on the running node) | | | Etcd Remote Access | Checks for remote write access to etcd, will | 0 | | | attempt to add a new key to the etcd DB | | | Etcd Remote Access | Checks for remote availability of etcd, its | 0 | | | version, and read access to the DB | | | Mount Hunter - /var/log | Hunt pods that have write access to host's | 0 | | | /var/log. in such case, the pod can traverse read | | | | files on the host machine | | | Prove /var/log Mount Hunter | Tries to read /etc/shadow on the host by running | 0 | | | commands inside a pod with host mount to /var/log | | | Proxy Hunting | Hunts for a dashboard behind the proxy | 0 | | Build Date Hunter | Hunts when proxy is exposed, extracts the build | 0 | | | date of kubernetes | | | K8s Version Hunter | Hunts Proxy when exposed, extracts the version | 0 | | Access Secrets | Accessing the secrets accessible to the pod | 2 | +---------------------------------------+------------------------------------------------------------+-------------------------+ 2020-09-14 13:28:01,316 - xtesting.ci.run_tests - INFO - Test result: +---------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------+------------------+------------------+----------------+ | kube_hunter | functest | 00:22 | PASS | +---------------------+------------------+------------------+----------------+