2020-10-27 12:08:08,074 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+------------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+------------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | true | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 1KGG4YISVV5T | | NODE_NAME | lf-virtual1-4 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/1KGG4YISVV5T/functest-kubernetes-opnfv- | | | functest-kubernetes-security-kali-kube_hunter- | | | run-142 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/1KGG4YISVV5T/functest-kubernetes-opnfv- | | | functest-kubernetes-security-kali-kube_hunter- | | | run-142 | +-------------------------+------------------------------------------------------------+ 2020-10-27 12:08:08,081 - xtesting.ci.run_tests - DEBUG - No env file /var/lib/xtesting/conf/env_file found 2020-10-27 12:08:08,081 - xtesting.ci.run_tests - DEBUG - Test args: kube_hunter 2020-10-27 12:08:08,094 - xtesting.ci.run_tests - INFO - Loading test case 'kube_hunter'... 2020-10-27 12:08:08,400 - xtesting.ci.run_tests - INFO - Running test case 'kube_hunter'... 2020-10-27 12:08:08,444 - kubernetes.client.rest - DEBUG - response body: {"kind":"Namespace","apiVersion":"v1","metadata":{"name":"kube-hunter-tjgxg","generateName":"kube-hunter-","selfLink":"/api/v1/namespaces/kube-hunter-tjgxg","uid":"193fec9b-a702-4aa4-b406-fbe6f4db365f","resourceVersion":"8989276","creationTimestamp":"2020-10-27T12:08:08Z","managedFields":[{"manager":"OpenAPI-Generator","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:08Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{}},"f:status":{"f:phase":{}}}}]},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Active"}} 2020-10-27 12:08:08,447 - functest_kubernetes.security.security - DEBUG - create_namespace: {'api_version': 'v1', 'kind': 'Namespace', 'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': datetime.datetime(2020, 10, 27, 12, 8, 8, tzinfo=tzlocal()), 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': 'kube-hunter-', 'generation': None, 'initializers': None, 'labels': None, 'managed_fields': [{'api_version': 'v1', 'fields': None, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'time': datetime.datetime(2020, 10, 27, 12, 8, 8, tzinfo=tzlocal())}], 'name': 'kube-hunter-tjgxg', 'namespace': None, 'owner_references': None, 'resource_version': '8989276', 'self_link': '/api/v1/namespaces/kube-hunter-tjgxg', 'uid': '193fec9b-a702-4aa4-b406-fbe6f4db365f'}, 'spec': {'finalizers': ['kubernetes']}, 'status': {'phase': 'Active'}} 2020-10-27 12:08:08,496 - kubernetes.client.rest - DEBUG - response body: {"kind":"Job","apiVersion":"batch/v1","metadata":{"name":"kube-hunter","namespace":"kube-hunter-tjgxg","selfLink":"/apis/batch/v1/namespaces/kube-hunter-tjgxg/jobs/kube-hunter","uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","resourceVersion":"8989278","creationTimestamp":"2020-10-27T12:08:08Z","labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"},"managedFields":[{"manager":"OpenAPI-Generator","operation":"Update","apiVersion":"batch/v1","time":"2020-10-27T12:08:08Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:backoffLimit":{},"f:completions":{},"f:parallelism":{},"f:template":{"f:spec":{"f:containers":{"k:{\"name\":\"kube-hunter\"}":{".":{},"f:args":{},"f:command":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}}}]},"spec":{"parallelism":1,"completions":1,"backoffLimit":4,"selector":{"matchLabels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"}},"spec":{"containers":[{"name":"kube-hunter","image":"aquasec/kube-hunter:0.3.1","command":["python","kube-hunter.py"],"args":["--pod","--report","json","--statistics"],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"}}},"status":{}} 2020-10-27 12:08:08,499 - functest_kubernetes.security.security - INFO - Job kube-hunter created 2020-10-27 12:08:08,499 - functest_kubernetes.security.security - DEBUG - create_namespaced_job: {'api_version': 'batch/v1', 'kind': 'Job', 'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': datetime.datetime(2020, 10, 27, 12, 8, 8, tzinfo=tzlocal()), 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': None, 'generation': None, 'initializers': None, 'labels': {'controller-uid': '2ba7570b-6a50-4a51-bb70-7c9415ae1c49', 'job-name': 'kube-hunter'}, 'managed_fields': [{'api_version': 'batch/v1', 'fields': None, 'manager': 'OpenAPI-Generator', 'operation': 'Update', 'time': datetime.datetime(2020, 10, 27, 12, 8, 8, tzinfo=tzlocal())}], 'name': 'kube-hunter', 'namespace': 'kube-hunter-tjgxg', 'owner_references': None, 'resource_version': '8989278', 'self_link': '/apis/batch/v1/namespaces/kube-hunter-tjgxg/jobs/kube-hunter', 'uid': '2ba7570b-6a50-4a51-bb70-7c9415ae1c49'}, 'spec': {'active_deadline_seconds': None, 'backoff_limit': 4, 'completions': 1, 'manual_selector': None, 'parallelism': 1, 'selector': {'match_expressions': None, 'match_labels': {'controller-uid': '2ba7570b-6a50-4a51-bb70-7c9415ae1c49'}}, 'template': {'metadata': {'annotations': None, 'cluster_name': None, 'creation_timestamp': None, 'deletion_grace_period_seconds': None, 'deletion_timestamp': None, 'finalizers': None, 'generate_name': None, 'generation': None, 'initializers': None, 'labels': {'controller-uid': '2ba7570b-6a50-4a51-bb70-7c9415ae1c49', 'job-name': 'kube-hunter'}, 'managed_fields': None, 'name': None, 'namespace': None, 'owner_references': None, 'resource_version': None, 'self_link': None, 'uid': None}, 'spec': {'active_deadline_seconds': None, 'affinity': None, 'automount_service_account_token': None, 'containers': [{'args': ['--pod', '--report', 'json', '--statistics'], 'command': ['python', 'kube-hunter.py'], 'env': None, 'env_from': None, 'image': 'aquasec/kube-hunter:0.3.1', 'image_pull_policy': 'IfNotPresent', 'lifecycle': None, 'liveness_probe': None, 'name': 'kube-hunter', 'ports': None, 'readiness_probe': None, 'resources': {'limits': None, 'requests': None}, 'security_context': None, 'stdin': None, 'stdin_once': None, 'termination_message_path': '/dev/termination-log', 'termination_message_policy': 'File', 'tty': None, 'volume_devices': None, 'volume_mounts': None, 'working_dir': None}], 'dns_config': None, 'dns_policy': 'ClusterFirst', 'enable_service_links': None, 'host_aliases': None, 'host_ipc': None, 'host_network': None, 'host_pid': None, 'hostname': None, 'image_pull_secrets': None, 'init_containers': None, 'node_name': None, 'node_selector': None, 'preemption_policy': None, 'priority': None, 'priority_class_name': None, 'readiness_gates': None, 'restart_policy': 'Never', 'runtime_class_name': None, 'scheduler_name': 'default-scheduler', 'security_context': {'fs_group': None, 'run_as_group': None, 'run_as_non_root': None, 'run_as_user': None, 'se_linux_options': None, 'supplemental_groups': None, 'sysctls': None, 'windows_options': None}, 'service_account': None, 'service_account_name': None, 'share_process_namespace': None, 'subdomain': None, 'termination_grace_period_seconds': 30, 'tolerations': None, 'volumes': None}}, 'ttl_seconds_after_finished': None}, 'status': {'active': None, 'completion_time': None, 'conditions': None, 'failed': None, 'start_time': None, 'succeeded': None}} 2020-10-27 12:08:29,675 - functest_kubernetes.security.security - INFO - kube-hunter started in 21.28 sec 2020-10-27 12:08:29,681 - kubernetes.client.rest - DEBUG - response body: {"kind":"PodList","apiVersion":"v1","metadata":{"selfLink":"/api/v1/namespaces/kube-hunter-tjgxg/pods","resourceVersion":"8989418"},"items":[{"metadata":{"name":"kube-hunter-6cg5z","generateName":"kube-hunter-","namespace":"kube-hunter-tjgxg","selfLink":"/api/v1/namespaces/kube-hunter-tjgxg/pods/kube-hunter-6cg5z","uid":"4a03e61a-8061-4b7a-82a4-9a0d64f6de8c","resourceVersion":"8989416","creationTimestamp":"2020-10-27T12:08:09Z","labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"},"ownerReferences":[{"apiVersion":"batch/v1","kind":"Job","name":"kube-hunter","uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:09Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:controller-uid":{},"f:job-name":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"2ba7570b-6a50-4a51-bb70-7c9415ae1c49\"}":{".":{},"f:apiVersion":{},"f:blockOwnerDeletion":{},"f:controller":{},"f:kind":{},"f:name":{},"f:uid":{}}}},"f:spec":{"f:containers":{"k:{\"name\":\"kube-hunter\"}":{".":{},"f:args":{},"f:command":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}},{"manager":"kubelet","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{"k:{\"type\":\"ContainersReady\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Initialized\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Ready\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:containerStatuses":{},"f:hostIP":{},"f:phase":{},"f:podIP":{},"f:podIPs":{".":{},"k:{\"ip\":\"10.244.1.169\"}":{".":{},"f:ip":{}}},"f:startTime":{}}}}]},"spec":{"volumes":[{"name":"default-token-fx52b","secret":{"secretName":"default-token-fx52b","defaultMode":420}}],"containers":[{"name":"kube-hunter","image":"aquasec/kube-hunter:0.3.1","command":["python","kube-hunter.py"],"args":["--pod","--report","json","--statistics"],"resources":{},"volumeMounts":[{"name":"default-token-fx52b","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kali-worker2","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Succeeded","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:10Z","reason":"PodCompleted"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:29Z","reason":"PodCompleted"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:29Z","reason":"PodCompleted"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:09Z"}],"hostIP":"172.18.0.13","podIP":"10.244.1.169","podIPs":[{"ip":"10.244.1.169"}],"startTime":"2020-10-27T12:08:10Z","containerStatuses":[{"name":"kube-hunter","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-10-27T12:08:13Z","finishedAt":"2020-10-27T12:08:28Z","containerID":"containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/aquasec/kube-hunter:0.3.1","imageID":"docker.io/aquasec/kube-hunter@sha256:2be6820bc1d7e0f57193a9a27d5a3e16b2fd93c53747b03ce8ca48c6fc323781","containerID":"containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9","started":false}],"qosClass":"BestEffort"}}]} 2020-10-27 12:08:29,695 - kubernetes.client.rest - DEBUG - response body: 2020-10-27 12:08:16,088 INFO kube_hunter.modules.report.collector Started hunting 2020-10-27 12:08:16,088 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-10-27 12:08:16,096 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,096 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,104 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,591 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.1.1:10250 2020-10-27 12:08:16,607 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-10-27 12:08:16,665 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 2020-10-27 12:08:16,687 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 {"nodes": [{"type": "Node/Master", "location": "10.244.1.1"}, {"type": "Node/Master", "location": "10.96.0.1"}], "services": [{"service": "Kubelet API", "location": "10.244.1.1:10250"}, {"service": "API Server", "location": "10.96.0.1:443"}], "vulnerabilities": [{"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "KHV050", "category": "Access Risk", "severity": "low", "vulnerability": "Read access to pod's service account token", "description": " Accessing the pod service account token gives an attacker the option to use the server API ", "evidence": "eyJhbGciOiJSUzI1NiIsImtpZCI6IlpONFdnam96M18xM05UN05lb2VaV29sWUZORl9pLUpva3RIR21qd0FySmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLWh1bnRlci10amd4ZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLWZ4NTJiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhY2UyYzNiNS0wYWFjLTQ5YTItYjQzOC1jMTc5ZGNlNzBjNTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1odW50ZXItdGpneGc6ZGVmYXVsdCJ9.iFx64hFP2plBQlLA15c090-qDpWo3RLImqXoaFols41Z3_0jy28T50tQA4F_w0cK_Kh94oFEs0wS_7ffuWNAtMonOS93m5CrFeW6DSV8mhLKyy22yYQSn1X0hw1GT8XU2fgGXE1nqv6RW01Oh7htrToMF1lwcFFqHtFAPHVP1ysERxB6KbilGa7F5daIFGPUzDbbO59qO7CcEeBSJTFInHqxL_6zIgnQ88RDY6brx9rEbunCoPxBeI1lDskmZpnElAz0nKzveQKQSyDwNGbreVHxbBLiDVFsabH3Vh_6voeLZMJu89B-JCQcNqFB-9ACHDP8ZaWorZdLV9WkRp3r8Q", "hunter": "Access Secrets"}, {"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "CAP_NET_RAW Enabled", "description": "CAP_NET_RAW is enabled by default for pods.\n If an attacker manages to compromise a pod,\n they could potentially take advantage of this capability to perform network\n attacks on other pods running on the same node", "evidence": "", "hunter": "Pod Capabilities Hunter"}, {"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "Access to pod's secrets", "description": " Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker", "evidence": "['/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/token', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/namespace']", "hunter": "Access Secrets"}, {"location": "10.96.0.1:443", "vid": "KHV005", "category": "Information Disclosure", "severity": "medium", "vulnerability": "Access to API using service account token", "description": "The API Server port is accessible.\n Depending on your RBAC settings this could expose access to or control of your cluster.", "evidence": "b'{\"kind\":\"APIVersions\",\"versions\":[\"v1\"],\"serverAddressByClientCIDRs\":[{\"clientCIDR\":\"0.0.0.0/0\",\"serverAddress\":\"172.18.0.11:6443\"}]}\\n'", "hunter": "API Server Hunter"}, {"location": "10.96.0.1:443", "vid": "KHV002", "category": "Information Disclosure", "severity": "medium", "vulnerability": "K8s Version Disclosure", "description": "The kubernetes version could be obtained from the /version endpoint ", "evidence": "v1.19.0", "hunter": "Api Version Hunter"}], "hunter_statistics": [{"name": "Kubelet Readonly Ports Hunter", "description": "Hunts specific endpoints on open ports in the readonly Kubelet server", "vulnerabilities": 0}, {"name": "Kubelet Secure Ports Hunter", "description": "Hunts specific endpoints on an open secured Kubelet", "vulnerabilities": 0}, {"name": "AKS Hunting", "description": "Hunting Azure cluster deployments using specific known configurations", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Checks if API server is accessible", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Accessing the API server using the service account token obtained from a compromised pod", "vulnerabilities": 1}, {"name": "Api Version Hunter", "description": "Tries to obtain the Api Server's version directly from /version endpoint", "vulnerabilities": 2}, {"name": "Pod Capabilities Hunter", "description": "Checks for default enabled capabilities in a pod", "vulnerabilities": 1}, {"name": "Certificate Email Hunting", "description": "Checks for email addresses in kubernetes ssl certificates", "vulnerabilities": 0}, {"name": "K8s CVE Hunter", "description": "Checks if Node is running a Kubernetes version vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Kubectl CVE Hunter", "description": "Checks if the kubectl client is vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Dashboard Hunting", "description": "Hunts open Dashboards, gets the type of nodes in the cluster", "vulnerabilities": 0}, {"name": "Etcd Remote Access", "description": "Checks for remote availability of etcd, its version, and read access to the DB", "vulnerabilities": 0}, {"name": "Mount Hunter - /var/log", "description": "Hunt pods that have write access to host's /var/log. in such case, the pod can traverse read files on the host machine", "vulnerabilities": 0}, {"name": "Proxy Hunting", "description": "Hunts for a dashboard behind the proxy", "vulnerabilities": 0}, {"name": "Access Secrets", "description": "Accessing the secrets accessible to the pod", "vulnerabilities": 2}], "kburl": "https://aquasecurity.github.io/kube-hunter/kb/{vid}"} 2020-10-27 12:08:29,696 - functest_kubernetes.security.security - INFO - 2020-10-27 12:08:16,088 INFO kube_hunter.modules.report.collector Started hunting 2020-10-27 12:08:16,088 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-10-27 12:08:16,096 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,096 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,104 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-6cg5z) 2020-10-27 12:08:16,591 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.1.1:10250 2020-10-27 12:08:16,607 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-10-27 12:08:16,665 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 2020-10-27 12:08:16,687 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 {"nodes": [{"type": "Node/Master", "location": "10.244.1.1"}, {"type": "Node/Master", "location": "10.96.0.1"}], "services": [{"service": "Kubelet API", "location": "10.244.1.1:10250"}, {"service": "API Server", "location": "10.96.0.1:443"}], "vulnerabilities": [{"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "KHV050", "category": "Access Risk", "severity": "low", "vulnerability": "Read access to pod's service account token", "description": " Accessing the pod service account token gives an attacker the option to use the server API ", "evidence": "eyJhbGciOiJSUzI1NiIsImtpZCI6IlpONFdnam96M18xM05UN05lb2VaV29sWUZORl9pLUpva3RIR21qd0FySmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLWh1bnRlci10amd4ZyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLWZ4NTJiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhY2UyYzNiNS0wYWFjLTQ5YTItYjQzOC1jMTc5ZGNlNzBjNTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1odW50ZXItdGpneGc6ZGVmYXVsdCJ9.iFx64hFP2plBQlLA15c090-qDpWo3RLImqXoaFols41Z3_0jy28T50tQA4F_w0cK_Kh94oFEs0wS_7ffuWNAtMonOS93m5CrFeW6DSV8mhLKyy22yYQSn1X0hw1GT8XU2fgGXE1nqv6RW01Oh7htrToMF1lwcFFqHtFAPHVP1ysERxB6KbilGa7F5daIFGPUzDbbO59qO7CcEeBSJTFInHqxL_6zIgnQ88RDY6brx9rEbunCoPxBeI1lDskmZpnElAz0nKzveQKQSyDwNGbreVHxbBLiDVFsabH3Vh_6voeLZMJu89B-JCQcNqFB-9ACHDP8ZaWorZdLV9WkRp3r8Q", "hunter": "Access Secrets"}, {"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "CAP_NET_RAW Enabled", "description": "CAP_NET_RAW is enabled by default for pods.\n If an attacker manages to compromise a pod,\n they could potentially take advantage of this capability to perform network\n attacks on other pods running on the same node", "evidence": "", "hunter": "Pod Capabilities Hunter"}, {"location": "Local to Pod (kube-hunter-6cg5z)", "vid": "None", "category": "Access Risk", "severity": "low", "vulnerability": "Access to pod's secrets", "description": " Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker", "evidence": "['/var/run/secrets/kubernetes.io/serviceaccount/token', '/var/run/secrets/kubernetes.io/serviceaccount/namespace', '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/ca.crt', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/token', '/var/run/secrets/kubernetes.io/serviceaccount/..2020_10_27_12_08_10.988377817/namespace']", "hunter": "Access Secrets"}, {"location": "10.96.0.1:443", "vid": "KHV005", "category": "Information Disclosure", "severity": "medium", "vulnerability": "Access to API using service account token", "description": "The API Server port is accessible.\n Depending on your RBAC settings this could expose access to or control of your cluster.", "evidence": "b'{\"kind\":\"APIVersions\",\"versions\":[\"v1\"],\"serverAddressByClientCIDRs\":[{\"clientCIDR\":\"0.0.0.0/0\",\"serverAddress\":\"172.18.0.11:6443\"}]}\\n'", "hunter": "API Server Hunter"}, {"location": "10.96.0.1:443", "vid": "KHV002", "category": "Information Disclosure", "severity": "medium", "vulnerability": "K8s Version Disclosure", "description": "The kubernetes version could be obtained from the /version endpoint ", "evidence": "v1.19.0", "hunter": "Api Version Hunter"}], "hunter_statistics": [{"name": "Kubelet Readonly Ports Hunter", "description": "Hunts specific endpoints on open ports in the readonly Kubelet server", "vulnerabilities": 0}, {"name": "Kubelet Secure Ports Hunter", "description": "Hunts specific endpoints on an open secured Kubelet", "vulnerabilities": 0}, {"name": "AKS Hunting", "description": "Hunting Azure cluster deployments using specific known configurations", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Checks if API server is accessible", "vulnerabilities": 0}, {"name": "API Server Hunter", "description": "Accessing the API server using the service account token obtained from a compromised pod", "vulnerabilities": 1}, {"name": "Api Version Hunter", "description": "Tries to obtain the Api Server's version directly from /version endpoint", "vulnerabilities": 2}, {"name": "Pod Capabilities Hunter", "description": "Checks for default enabled capabilities in a pod", "vulnerabilities": 1}, {"name": "Certificate Email Hunting", "description": "Checks for email addresses in kubernetes ssl certificates", "vulnerabilities": 0}, {"name": "K8s CVE Hunter", "description": "Checks if Node is running a Kubernetes version vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Kubectl CVE Hunter", "description": "Checks if the kubectl client is vulnerable to specific important CVEs", "vulnerabilities": 0}, {"name": "Dashboard Hunting", "description": "Hunts open Dashboards, gets the type of nodes in the cluster", "vulnerabilities": 0}, {"name": "Etcd Remote Access", "description": "Checks for remote availability of etcd, its version, and read access to the DB", "vulnerabilities": 0}, {"name": "Mount Hunter - /var/log", "description": "Hunt pods that have write access to host's /var/log. in such case, the pod can traverse read files on the host machine", "vulnerabilities": 0}, {"name": "Proxy Hunting", "description": "Hunts for a dashboard behind the proxy", "vulnerabilities": 0}, {"name": "Access Secrets", "description": "Accessing the secrets accessible to the pod", "vulnerabilities": 2}], "kburl": "https://aquasecurity.github.io/kube-hunter/kb/{vid}"} 2020-10-27 12:08:29,696 - functest_kubernetes.security.security - WARNING - Skipping Read access to pod's service account token (severity is configured as high) 2020-10-27 12:08:29,696 - functest_kubernetes.security.security - WARNING - Skipping CAP_NET_RAW Enabled (severity is configured as high) 2020-10-27 12:08:29,697 - functest_kubernetes.security.security - WARNING - Skipping Access to pod's secrets (severity is configured as high) 2020-10-27 12:08:29,697 - functest_kubernetes.security.security - WARNING - Skipping Access to API using service account token (severity is configured as high) 2020-10-27 12:08:29,697 - functest_kubernetes.security.security - WARNING - Skipping K8s Version Disclosure (severity is configured as high) 2020-10-27 12:08:29,698 - functest_kubernetes.security.security - WARNING - +--------------------------------+----------------------------------------------------+------------------+ | CATEGORY | VULNERABILITY | SEVERITY | +--------------------------------+----------------------------------------------------+------------------+ | Access Risk | Read access to pod's service account token | low | | Access Risk | CAP_NET_RAW Enabled | low | | Access Risk | Access to pod's secrets | low | | Information Disclosure | Access to API using service account token | medium | | Information Disclosure | K8s Version Disclosure | medium | +--------------------------------+----------------------------------------------------+------------------+ 2020-10-27 12:08:29,704 - functest_kubernetes.security.security - INFO - +---------------------------------------+------------------------------------------------------------+-------------------------+ | NAME | DESCRIPTION | VULNERABILITIES | +---------------------------------------+------------------------------------------------------------+-------------------------+ | Kubelet Readonly Ports Hunter | Hunts specific endpoints on open ports in the | 0 | | | readonly Kubelet server | | | Kubelet Secure Ports Hunter | Hunts specific endpoints on an open secured | 0 | | | Kubelet | | | AKS Hunting | Hunting Azure cluster deployments using specific | 0 | | | known configurations | | | API Server Hunter | Checks if API server is accessible | 0 | | API Server Hunter | Accessing the API server using the service account | 1 | | | token obtained from a compromised pod | | | Api Version Hunter | Tries to obtain the Api Server's version directly | 2 | | | from /version endpoint | | | Pod Capabilities Hunter | Checks for default enabled capabilities in a pod | 1 | | Certificate Email Hunting | Checks for email addresses in kubernetes ssl | 0 | | | certificates | | | K8s CVE Hunter | Checks if Node is running a Kubernetes version | 0 | | | vulnerable to specific important CVEs | | | Kubectl CVE Hunter | Checks if the kubectl client is vulnerable to | 0 | | | specific important CVEs | | | Dashboard Hunting | Hunts open Dashboards, gets the type of nodes in | 0 | | | the cluster | | | Etcd Remote Access | Checks for remote availability of etcd, its | 0 | | | version, and read access to the DB | | | Mount Hunter - /var/log | Hunt pods that have write access to host's | 0 | | | /var/log. in such case, the pod can traverse read | | | | files on the host machine | | | Proxy Hunting | Hunts for a dashboard behind the proxy | 0 | | Access Secrets | Accessing the secrets accessible to the pod | 2 | +---------------------------------------+------------------------------------------------------------+-------------------------+ 2020-10-27 12:08:29,704 - xtesting.ci.run_tests - INFO - Test result: +---------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------+------------------+------------------+----------------+ | kube_hunter | functest | 00:21 | PASS | +---------------------+------------------+------------------+----------------+ 2020-10-27 12:08:29,736 - kubernetes.client.rest - DEBUG - response body: {"kind":"Pod","apiVersion":"v1","metadata":{"name":"kube-hunter-6cg5z","generateName":"kube-hunter-","namespace":"kube-hunter-tjgxg","selfLink":"/api/v1/namespaces/kube-hunter-tjgxg/pods/kube-hunter-6cg5z","uid":"4a03e61a-8061-4b7a-82a4-9a0d64f6de8c","resourceVersion":"8989419","creationTimestamp":"2020-10-27T12:08:09Z","deletionTimestamp":"2020-10-27T12:08:29Z","deletionGracePeriodSeconds":0,"labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"},"ownerReferences":[{"apiVersion":"batch/v1","kind":"Job","name":"kube-hunter","uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","controller":true,"blockOwnerDeletion":true}],"managedFields":[{"manager":"kube-controller-manager","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:09Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{},"f:labels":{".":{},"f:controller-uid":{},"f:job-name":{}},"f:ownerReferences":{".":{},"k:{\"uid\":\"2ba7570b-6a50-4a51-bb70-7c9415ae1c49\"}":{".":{},"f:apiVersion":{},"f:blockOwnerDeletion":{},"f:controller":{},"f:kind":{},"f:name":{},"f:uid":{}}}},"f:spec":{"f:containers":{"k:{\"name\":\"kube-hunter\"}":{".":{},"f:args":{},"f:command":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:enableServiceLinks":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}},{"manager":"kubelet","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:conditions":{"k:{\"type\":\"ContainersReady\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Initialized\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}},"k:{\"type\":\"Ready\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:reason":{},"f:status":{},"f:type":{}}},"f:containerStatuses":{},"f:hostIP":{},"f:phase":{},"f:podIP":{},"f:podIPs":{".":{},"k:{\"ip\":\"10.244.1.169\"}":{".":{},"f:ip":{}}},"f:startTime":{}}}}]},"spec":{"volumes":[{"name":"default-token-fx52b","secret":{"secretName":"default-token-fx52b","defaultMode":420}}],"containers":[{"name":"kube-hunter","image":"aquasec/kube-hunter:0.3.1","command":["python","kube-hunter.py"],"args":["--pod","--report","json","--statistics"],"resources":{},"volumeMounts":[{"name":"default-token-fx52b","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"kali-worker2","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true,"preemptionPolicy":"PreemptLowerPriority"},"status":{"phase":"Succeeded","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:10Z","reason":"PodCompleted"},{"type":"Ready","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:29Z","reason":"PodCompleted"},{"type":"ContainersReady","status":"False","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:29Z","reason":"PodCompleted"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2020-10-27T12:08:09Z"}],"hostIP":"172.18.0.13","podIP":"10.244.1.169","podIPs":[{"ip":"10.244.1.169"}],"startTime":"2020-10-27T12:08:10Z","containerStatuses":[{"name":"kube-hunter","state":{"terminated":{"exitCode":0,"reason":"Completed","startedAt":"2020-10-27T12:08:13Z","finishedAt":"2020-10-27T12:08:28Z","containerID":"containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9"}},"lastState":{},"ready":false,"restartCount":0,"image":"docker.io/aquasec/kube-hunter:0.3.1","imageID":"docker.io/aquasec/kube-hunter@sha256:2be6820bc1d7e0f57193a9a27d5a3e16b2fd93c53747b03ce8ca48c6fc323781","containerID":"containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9","started":false}],"qosClass":"BestEffort"}} 2020-10-27 12:08:29,737 - functest_kubernetes.security.security - DEBUG - delete_namespaced_pod: {'api_version': 'v1', 'code': None, 'details': None, 'kind': 'Pod', 'message': None, 'metadata': {'_continue': None, 'remaining_item_count': None, 'resource_version': '8989419', 'self_link': '/api/v1/namespaces/kube-hunter-tjgxg/pods/kube-hunter-6cg5z'}, 'reason': None, 'status': "{'phase': 'Succeeded', 'conditions': [{'type': 'Initialized', " "'status': 'True', 'lastProbeTime': None, 'lastTransitionTime': " "'2020-10-27T12:08:10Z', 'reason': 'PodCompleted'}, {'type': " "'Ready', 'status': 'False', 'lastProbeTime': None, " "'lastTransitionTime': '2020-10-27T12:08:29Z', 'reason': " "'PodCompleted'}, {'type': 'ContainersReady', 'status': 'False', " "'lastProbeTime': None, 'lastTransitionTime': " "'2020-10-27T12:08:29Z', 'reason': 'PodCompleted'}, {'type': " "'PodScheduled', 'status': 'True', 'lastProbeTime': None, " "'lastTransitionTime': '2020-10-27T12:08:09Z'}], 'hostIP': " "'172.18.0.13', 'podIP': '10.244.1.169', 'podIPs': [{'ip': " "'10.244.1.169'}], 'startTime': '2020-10-27T12:08:10Z', " "'containerStatuses': [{'name': 'kube-hunter', 'state': " "{'terminated': {'exitCode': 0, 'reason': 'Completed', 'startedAt': " "'2020-10-27T12:08:13Z', 'finishedAt': '2020-10-27T12:08:28Z', " "'containerID': " "'containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9'}}, " "'lastState': {}, 'ready': False, 'restartCount': 0, 'image': " "'docker.io/aquasec/kube-hunter:0.3.1', 'imageID': " "'docker.io/aquasec/kube-hunter@sha256:2be6820bc1d7e0f57193a9a27d5a3e16b2fd93c53747b03ce8ca48c6fc323781', " "'containerID': " "'containerd://8906fe0a79805ca9ec3b35456835580130881202f150bff08979ceb32c5398c9', " "'started': False}], 'qosClass': 'BestEffort'}"} 2020-10-27 12:08:29,755 - kubernetes.client.rest - DEBUG - response body: {"kind":"Job","apiVersion":"batch/v1","metadata":{"name":"kube-hunter","namespace":"kube-hunter-tjgxg","selfLink":"/apis/batch/v1/namespaces/kube-hunter-tjgxg/jobs/kube-hunter","uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","resourceVersion":"8989422","creationTimestamp":"2020-10-27T12:08:08Z","deletionTimestamp":"2020-10-27T12:08:29Z","deletionGracePeriodSeconds":0,"labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"},"finalizers":["orphan"],"managedFields":[{"manager":"OpenAPI-Generator","operation":"Update","apiVersion":"batch/v1","time":"2020-10-27T12:08:08Z","fieldsType":"FieldsV1","fieldsV1":{"f:spec":{"f:backoffLimit":{},"f:completions":{},"f:parallelism":{},"f:template":{"f:spec":{"f:containers":{"k:{\"name\":\"kube-hunter\"}":{".":{},"f:args":{},"f:command":{},"f:image":{},"f:imagePullPolicy":{},"f:name":{},"f:resources":{},"f:terminationMessagePath":{},"f:terminationMessagePolicy":{}}},"f:dnsPolicy":{},"f:restartPolicy":{},"f:schedulerName":{},"f:securityContext":{},"f:terminationGracePeriodSeconds":{}}}}}},{"manager":"kube-controller-manager","operation":"Update","apiVersion":"batch/v1","time":"2020-10-27T12:08:29Z","fieldsType":"FieldsV1","fieldsV1":{"f:status":{"f:completionTime":{},"f:conditions":{".":{},"k:{\"type\":\"Complete\"}":{".":{},"f:lastProbeTime":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}}},"f:startTime":{},"f:succeeded":{}}}}]},"spec":{"parallelism":1,"completions":1,"backoffLimit":4,"selector":{"matchLabels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"controller-uid":"2ba7570b-6a50-4a51-bb70-7c9415ae1c49","job-name":"kube-hunter"}},"spec":{"containers":[{"name":"kube-hunter","image":"aquasec/kube-hunter:0.3.1","command":["python","kube-hunter.py"],"args":["--pod","--report","json","--statistics"],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Never","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"}}},"status":{"conditions":[{"type":"Complete","status":"True","lastProbeTime":"2020-10-27T12:08:29Z","lastTransitionTime":"2020-10-27T12:08:29Z"}],"startTime":"2020-10-27T12:08:08Z","completionTime":"2020-10-27T12:08:29Z","succeeded":1}} 2020-10-27 12:08:29,755 - functest_kubernetes.security.security - DEBUG - delete_namespaced_deployment: {'api_version': 'batch/v1', 'code': None, 'details': None, 'kind': 'Job', 'message': None, 'metadata': {'_continue': None, 'remaining_item_count': None, 'resource_version': '8989422', 'self_link': '/apis/batch/v1/namespaces/kube-hunter-tjgxg/jobs/kube-hunter'}, 'reason': None, 'status': "{'conditions': [{'type': 'Complete', 'status': 'True', " "'lastProbeTime': '2020-10-27T12:08:29Z', 'lastTransitionTime': " "'2020-10-27T12:08:29Z'}], 'startTime': '2020-10-27T12:08:08Z', " "'completionTime': '2020-10-27T12:08:29Z', 'succeeded': 1}"} 2020-10-27 12:08:29,807 - kubernetes.client.rest - DEBUG - response body: {"kind":"Namespace","apiVersion":"v1","metadata":{"name":"kube-hunter-tjgxg","generateName":"kube-hunter-","selfLink":"/api/v1/namespaces/kube-hunter-tjgxg","uid":"193fec9b-a702-4aa4-b406-fbe6f4db365f","resourceVersion":"8989423","creationTimestamp":"2020-10-27T12:08:08Z","deletionTimestamp":"2020-10-27T12:08:29Z","managedFields":[{"manager":"OpenAPI-Generator","operation":"Update","apiVersion":"v1","time":"2020-10-27T12:08:08Z","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:generateName":{}},"f:status":{"f:phase":{}}}}]},"spec":{"finalizers":["kubernetes"]},"status":{"phase":"Terminating"}} 2020-10-27 12:08:29,811 - functest_kubernetes.security.security - DEBUG - delete_namespace: kube-hunter-tjgxg 2020-10-27 12:08:30,165 - xtesting.core.testcase - DEBUG - Publishing /var/lib/xtesting/results/functest-kubernetes.log ('text/plain', None) 2020-10-27 12:08:30,377 - xtesting.core.testcase - DEBUG - Publishing /var/lib/xtesting/results/functest-kubernetes.debug.log ('text/plain', None)