K8s autodiscovery (#453)

* Add a new dependency on Kubernetes package * Add and store a new flag about automatic nodes discovery from a pod * Implement the listing of nodes * Add tests to cover the k8s node listing * Fix the k8s listing test to ensure the load incluster function is actually called * Add more help to the k8s node discovery flags, and cross-reference them. * Add a note on the Kubernetes auto-discovery in the main README file * Move the kubernetes discovery from conf to modules/discovery * When running with --pods, run the Kubernetes auto discovery * Also mention that the auto discovery is always on when using --pod Co-authored-by: Mikolaj Pawlikowski <[email protected]>
aquasecurity · Jun 5, 2021 · 6689005 · 6689005
1 parent 0b90e0e
commit 6689005
Show file tree

Hide file tree

Showing 8 changed files with 97 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -76,6 +76,12 @@ To specify interface scanning, you can use the `--interface` option (this will s
 To specify a specific CIDR to scan, use the `--cidr` option. Example:
 `kube-hunter --cidr 192.168.0.0/24`
 
+4. **Kubernetes node auto-discovery**
+
+Set `--k8s-auto-discover-nodes` flag to query Kubernetes for all nodes in the cluster, and then attempt to scan them all. By default, it will use [in-cluster config](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to connect to the Kubernetes API. If you'd like to use an explicit kubeconfig file, set `--kubeconfig /location/of/kubeconfig/file`.
+
+Also note, that this is always done when using `--pod` mode.
+
 ### Active Hunting
 
 Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, to explore for further vulnerabilities.

diff --git a/kube_hunter/__main__.py b/kube_hunter/__main__.py
@@ -25,6 +25,8 @@
     quick=args.quick,
     remote=args.remote,
     statistics=args.statistics,
+    k8s_auto_discover_nodes=args.k8s_auto_discover_nodes,
+    kubeconfig=args.kubeconfig,
 )
 setup_logger(args.log, args.log_file)
 set_config(config)
@@ -88,7 +90,7 @@ def list_hunters():
 
 def main():
     global hunt_started
-    scan_options = [config.pod, config.cidr, config.remote, config.interface]
+    scan_options = [config.pod, config.cidr, config.remote, config.interface, config.k8s_auto_discover_nodes]
     try:
         if args.list:
             list_hunters()

diff --git a/kube_hunter/conf/__init__.py b/kube_hunter/conf/__init__.py
@@ -36,6 +36,8 @@ class Config:
     remote: Optional[str] = None
     reporter: Optional[Any] = None
     statistics: bool = False
+    k8s_auto_discover_nodes: bool = False
+    kubeconfig: Optional[str] = None
 
 
 _config: Optional[Config] = None

diff --git a/kube_hunter/conf/parser.py b/kube_hunter/conf/parser.py
@@ -46,6 +46,26 @@ def parser_add_arguments(parser):
         help="One or more remote ip/dns to hunt",
     )
 
+    parser.add_argument(
+        "--k8s-auto-discover-nodes",
+        action="store_true",
+        help="Enables automatic detection of all nodes in a Kubernetes cluster "
+        "by quering the Kubernetes API server. "
+        "It supports both in-cluster config (when running as a pod), "
+        "and a specific kubectl config file (use --kubeconfig to set this). "
+        "By default, when this flag is set, it will use in-cluster config. "
+        "NOTE: this is automatically switched on in --pod mode."
+    )
+
+    parser.add_argument(
+        "--kubeconfig",
+        type=str,
+        metavar="KUBECONFIG",
+        default=None,
+        help="Specify the kubeconfig file to use for Kubernetes nodes auto discovery "
+        " (to be used in conjuction with the --k8s-auto-discover-nodes flag."
+    )
+
     parser.add_argument("--active", action="store_true", help="Enables active hunting")
 
     parser.add_argument(

diff --git a/kube_hunter/modules/discovery/hosts.py b/kube_hunter/modules/discovery/hosts.py
@@ -8,6 +8,7 @@
 from netifaces import AF_INET, ifaddresses, interfaces, gateways
 
 from kube_hunter.conf import get_config
+from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
 from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Event, NewHostEvent, Vulnerability
 from kube_hunter.core.types import Discovery, InformationDisclosure, AWS, Azure
@@ -114,6 +115,9 @@ def __init__(self, event):
 
     def execute(self):
         config = get_config()
+        # Attempt to read all hosts from the Kubernetes API
+        for host in list_all_k8s_cluster_nodes(config.kubeconfig):
+            self.publish_event(NewHostEvent(host=host))
         # Scan any hosts that the user specified
         if config.remote or config.cidr:
             self.publish_event(HostScanEvent())
@@ -298,6 +302,9 @@ def execute(self):
         elif len(config.remote) > 0:
             for host in config.remote:
                 self.publish_event(NewHostEvent(host=host))
+        elif config.k8s_auto_discover_nodes:
+            for host in list_all_k8s_cluster_nodes(config.kubeconfig):
+                self.publish_event(NewHostEvent(host=host))
 
     # for normal scanning
     def scan_interfaces(self):

diff --git a/kube_hunter/modules/discovery/kubernetes_client.py b/kube_hunter/modules/discovery/kubernetes_client.py
@@ -0,0 +1,27 @@
+import logging
+import kubernetes
+
+
+def list_all_k8s_cluster_nodes(kube_config=None, client=None):
+    logger = logging.getLogger(__name__)
+    try:
+        if kube_config:
+            logger.info("Attempting to use kubeconfig file: %s", kube_config)
+            kubernetes.config.load_kube_config(config_file=kube_config)
+        else:
+            logger.info("Attempting to use in cluster Kubernetes config")
+            kubernetes.config.load_incluster_config()
+    except kubernetes.config.config_exception.ConfigException:
+        logger.exception("Failed to initiate Kubernetes client")
+        return
+
+    try:
+        if client is None:
+            client = kubernetes.client.CoreV1Api()
+        ret = client.list_node(watch=False)
+        logger.info("Listed %d nodes in the cluster" % len(ret.items))
+        for item in ret.items:
+            for addr in item.status.addresses:
+                yield addr.address
+    except:
+        logger.exception("Failed to list nodes from Kubernetes")
diff --git a/setup.cfg b/setup.cfg
@@ -41,6 +41,7 @@ install_requires =
     packaging
     dataclasses
     pluggy
+    kubernetes==12.0.1
 setup_requires =
     setuptools>=30.3.0
     setuptools_scm

diff --git a/tests/discovery/test_k8s.py b/tests/discovery/test_k8s.py
@@ -0,0 +1,31 @@
+from kube_hunter.conf import Config, set_config
+
+set_config(Config())
+
+from kube_hunter.modules.discovery.kubernetes_client import list_all_k8s_cluster_nodes
+from unittest.mock import MagicMock, patch
+
+
+
+def test_client_yields_ips():
+    client = MagicMock()
+    response = MagicMock()
+    client.list_node.return_value = response
+    response.items = [MagicMock(), MagicMock()]
+    response.items[0].status.addresses = [MagicMock(), MagicMock()]
+    response.items[0].status.addresses[0].address = "127.0.0.1"
+    response.items[0].status.addresses[1].address = "127.0.0.2"
+    response.items[1].status.addresses = [MagicMock()]
+    response.items[1].status.addresses[0].address = "127.0.0.3"
+
+    with patch('kubernetes.config.load_incluster_config') as m:
+        output = list(list_all_k8s_cluster_nodes(client=client))
+        m.assert_called_once()
+
+    assert output == ["127.0.0.1", "127.0.0.2", "127.0.0.3"]
+
+
+def test_client_uses_kubeconfig():
+    with patch('kubernetes.config.load_kube_config') as m:
+        list(list_all_k8s_cluster_nodes(kube_config="/location", client=MagicMock()))
+        m.assert_called_once_with(config_file="/location")