2020-09-10 01:14:27,449 - xtesting.ci.run_tests - INFO - Deployment description: +-------------------------+-----------------------------------------------------------+ | ENV VAR | VALUE | +-------------------------+-----------------------------------------------------------+ | CI_LOOP | daily | | DEBUG | true | | DEPLOY_SCENARIO | k8-nosdn-nofeature-noha | | INSTALLER_TYPE | unknown | | BUILD_TAG | 2BHT3HKK4SYV | | NODE_NAME | lf-virtual1-5 | | TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results | | TEST_DB_EXT_URL | http://testresults.opnfv.org/test/api/v1/results | | S3_ENDPOINT_URL | https://storage.googleapis.com | | S3_DST_URL | s3://artifacts.opnfv.org/functest- | | | kubernetes/2BHT3HKK4SYV/functest-kubernetes-pi- | | | ollivier-functest-kubernetes-security-arm-latest- | | | kube_hunter-run-27 | | HTTP_DST_URL | http://artifacts.opnfv.org/functest- | | | kubernetes/2BHT3HKK4SYV/functest-kubernetes-pi- | | | ollivier-functest-kubernetes-security-arm-latest- | | | kube_hunter-run-27 | +-------------------------+-----------------------------------------------------------+ 2020-09-10 01:14:27,573 - xtesting.ci.run_tests - INFO - Loading test case 'kube_hunter'... 2020-09-10 01:14:30,067 - xtesting.ci.run_tests - INFO - Running test case 'kube_hunter'... 2020-09-10 01:14:30,551 - functest_kubernetes.security.security - INFO - Job kube-hunter created 2020-09-10 01:14:48,508 - functest_kubernetes.security.security - INFO - kube-hunter started in 18.44 sec 2020-09-10 01:14:48,595 - functest_kubernetes.security.security - WARNING - 2020-09-10 01:14:35,322 INFO kube_hunter.modules.report.collector Started hunting 2020-09-10 01:14:35,329 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-09-10 01:14:35,332 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-4f8ts) 2020-09-10 01:14:35,333 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-4f8ts) 2020-09-10 01:14:35,337 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-4f8ts) 2020-09-10 01:14:35,723 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.244.2.1:10250 2020-09-10 01:14:35,760 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-09-10 01:14:35,841 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 2020-09-10 01:14:35,847 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 Nodes +-------------+------------+ | TYPE | LOCATION | +-------------+------------+ | Node/Master | 10.244.2.1 | +-------------+------------+ | Node/Master | 10.96.0.1 | +-------------+------------+ Detected Services +-------------+------------------+----------------------+ | SERVICE | LOCATION | DESCRIPTION | +-------------+------------------+----------------------+ | Kubelet API | 10.244.2.1:10250 | The Kubelet is the | | | | main component in | | | | every Node, all pod | | | | operations goes | | | | through the kubelet | +-------------+------------------+----------------------+ | API Server | 10.96.0.1:443 | The API server is in | | | | charge of all | | | | operations on the | | | | cluster. | +-------------+------------------+----------------------+ Vulnerabilities For further information about a vulnerability, search its ID in: https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | ID | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.96.0.1:443 | Information | Access to API using | The API Server port | b'{"kind":"APIVersio | | | | Disclosure | service account | is accessible. | ns","versions":["v1" | | | | | token | Depending on | ... | | | | | | your RBAC settings | | | | | | | this could expose | | | | | | | access to or control | | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV002 | 10.96.0.1:443 | Information | K8s Version | The kubernetes | v1.19.0 | | | | Disclosure | Disclosure | version could be | | | | | | | obtained from the | | | | | | | /version endpoint | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | CAP_NET_RAW Enabled | CAP_NET_RAW is | | | | hunter-4f8ts) | | | enabled by default | | | | | | | for pods. | | | | | | | If an attacker | | | | | | | manages to | | | | | | | compromise a pod, | | | | | | | they could | | | | | | | potentially take | | | | | | | advantage of this | | | | | | | capability to | | | | | | | perform network | | | | | | | attacks on other | | | | | | | pods running on the | | | | | | | same node | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | Access to pod's | Accessing the pod's | ['/var/run/secrets/k | | | hunter-4f8ts) | | secrets | secrets within a | ubernetes.io/service | | | | | | compromised pod | ... | | | | | | might disclose | | | | | | | valuable data to a | | | | | | | potential attacker | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV050 | Local to Pod (kube- | Access Risk | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs | | | hunter-4f8ts) | | service account | service account | ImtpZCI6InVBUWpjVEFY | | | | | token | token gives an | ... | | | | | | attacker the option | | | | | | | to use the server | | | | | | | API | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ 2020-09-10 01:14:48,597 - xtesting.ci.run_tests - INFO - Test result: +---------------------+------------------+------------------+----------------+ | TEST CASE | PROJECT | DURATION | RESULT | +---------------------+------------------+------------------+----------------+ | kube_hunter | functest | 00:18 | PASS | +---------------------+------------------+------------------+----------------+