2020-09-09 01:23:30,619 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | true | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 19YNC1Y3MA4I | | NODE_NAME | lf-virtual1-2 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/19YNC1Y3MA4I/functest-kubernetes-opnfv- | | | functest-kubernetes-security-iruya-kube_hunter- | | | run-84 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/19YNC1Y3MA4I/functest-kubernetes-opnfv- | | | functest-kubernetes-security-iruya-kube_hunter- | | | run-84 | +-------------------------+------------------------------------------------------------+ 2020-09-09 01:23:30,630 - xtesting.ci.run_tests - INFO - Loading test case 'kube_hunter'... 2020-09-09 01:23:30,906 - xtesting.ci.run_tests - INFO - Running test case 'kube_hunter'... 2020-09-09 01:23:30,968 - functest_kubernetes.security.security - INFO - Job kube-hunter created 2020-09-09 01:23:48,130 - functest_kubernetes.security.security - INFO - kube-hunter started in 17.22 sec 2020-09-09 01:23:48,147 - functest_kubernetes.security.security - WARNING - 2020-09-09 01:23:34,934 INFO kube_hunter.modules.report.collector Started hunting 2020-09-09 01:23:34,934 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-09-09 01:23:34,943 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-9vtlp) 2020-09-09 01:23:34,944 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-9vtlp) 2020-09-09 01:23:34,950 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-9vtlp) 2020-09-09 01:23:35,311 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.1.1:10250 2020-09-09 01:23:35,348 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-09-09 01:23:35,403 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 2020-09-09 01:23:35,407 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 Nodes +-------------+------------+ | TYPE | LOCATION | +-------------+------------+ | Node/Master | 10.244.1.1 | +-------------+------------+ | Node/Master | 10.96.0.1 | +-------------+------------+ Detected Services +-------------+------------------+----------------------+ | SERVICE | LOCATION | DESCRIPTION | +-------------+------------------+----------------------+ | Kubelet API | 10.244.1.1:10250 | The Kubelet is the | | | | main component in | | | | every Node, all pod | | | | operations goes | | | | through the kubelet | +-------------+------------------+----------------------+ | API Server | 10.96.0.1:443 | The API server is in | | | | charge of all | | | | operations on the | | | | cluster. | +-------------+------------------+----------------------+ Vulnerabilities For further information about a vulnerability, search its ID in: https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | ID | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.96.0.1:443 | Information | Access to API using | The API Server port | b'{"kind":"APIVersio | | | | Disclosure | service account | is accessible. | ns","versions":["v1" | | | | | token | Depending on | ... | | | | | | your RBAC settings | | | | | | | this could expose | | | | | | | access to or control | | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV002 | 10.96.0.1:443 | Information | K8s Version | The kubernetes | v1.15.13-beta.0.1+a3 | | | | Disclosure | Disclosure | version could be | 4f1e483104bd | | | | | | obtained from the | | | | | | | /version endpoint | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | CAP_NET_RAW Enabled | CAP_NET_RAW is | | | | hunter-9vtlp) | | | enabled by default | | | | | | | for pods. | | | | | | | If an attacker | | | | | | | manages to | | | | | | | compromise a pod, | | | | | | | they could | | | | | | | potentially take | | | | | | | advantage of this | | | | | | | capability to | | | | | | | perform network | | | | | | | attacks on other | | | | | | | pods running on the | | | | | | | same node | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | Access to pod's | Accessing the pod's | ['/var/run/secrets/k | | | hunter-9vtlp) | | secrets | secrets within a | ubernetes.io/service | | | | | | compromised pod | ... | | | | | | might disclose | | | | | | | valuable data to a | | | | | | | potential attacker | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV050 | Local to Pod (kube- | Access Risk | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs | | | hunter-9vtlp) | | service account | service account | ImtpZCI6IiJ9.eyJpc3M | | | | | token | token gives an | ... | | | | | | attacker the option | | | | | | | to use the server | | | | | | | API | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ 2020-09-09 01:23:48,147 - xtesting.ci.run_tests - INFO - Test result: +---------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------+------------------+------------------+----------------+ | kube_hunter | functest | 00:17 | PASS | +---------------------+------------------+------------------+----------------+