Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix the bug of k8s node duplication due to the lack of judgment of th… #528

Closed
wants to merge 1 commit into from
Closed

fix the bug of k8s node duplication due to the lack of judgment of th… #528

wants to merge 1 commit into from

Conversation

y4ney
Copy link

@y4ney y4ney commented Nov 11, 2022

Description

In order to avoid duplication of detected nodes, services and vulnerabilities, we need to determine the type of node address when the k8s cluster node is automatically found.

Fixed Issues

Fixes #527

"BEFORE" and "AFTER" output

BEFORE

./kube-hunter.py --k8s-auto-discover-nodes --kubeconfig /root/.kube/config
2022-11-11 02:48:11,574 INFO kube_hunter.modules.report.collector Started hunting
2022-11-11 02:48:11,574 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-11-11 02:48:11,685 INFO kube_hunter.modules.discovery.kubernetes_client Listed 1 nodes in the cluster
2022-11-11 02:48:11,697 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 192.168.1.133:2379
2022-11-11 02:48:11,721 INFO kube_hunter.modules.report.collector Found open service "Etcd" at k8s:2379
2022-11-11 02:48:11,815 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 192.168.1.133:6443
2022-11-11 02:48:11,820 INFO kube_hunter.modules.report.collector Found open service "API Server" at k8s:6443
2022-11-11 02:48:11,824 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in k8s:6443
2022-11-11 02:48:11,831 INFO kube_hunter.modules.report.collector Found open service "API Server" at 192.168.1.133:6443
2022-11-11 02:48:11,928 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 192.168.1.133:10250
2022-11-11 02:48:11,932 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at k8s:10250

Nodes
+-------------+---------------+
| TYPE        | LOCATION      |
+-------------+---------------+
| Node/Master | k8s           |
+-------------+---------------+
| Node/Master | 192.168.1.133 |
+-------------+---------------+

Detected Services
+-------------+---------------------+----------------------+
| SERVICE     | LOCATION            | DESCRIPTION          |
+-------------+---------------------+----------------------+
| Kubelet API | k8s:10250           | The Kubelet is the   |
|             |                     | main component in    |
|             |                     | every Node, all pod  |
|             |                     | operations goes      |
|             |                     | through the kubelet  |
+-------------+---------------------+----------------------+
| Kubelet API | 192.168.1.133:10250 | The Kubelet is the   |
|             |                     | main component in    |
|             |                     | every Node, all pod  |
|             |                     | operations goes      |
|             |                     | through the kubelet  |
+-------------+---------------------+----------------------+
| Etcd        | k8s:2379            | Etcd is a DB that    |
|             |                     | stores cluster's     |
|             |                     | data, it contains    |
|             |                     | configuration and    |
|             |                     | current              |
|             |                     |     state            |
|             |                     | information, and     |
|             |                     | might contain        |
|             |                     | secrets              |
+-------------+---------------------+----------------------+
| Etcd        | 192.168.1.133:2379  | Etcd is a DB that    |
|             |                     | stores cluster's     |
|             |                     | data, it contains    |
|             |                     | configuration and    |
|             |                     | current              |
|             |                     |     state            |
|             |                     | information, and     |
|             |                     | might contain        |
|             |                     | secrets              |
+-------------+---------------------+----------------------+
| API Server  | k8s:6443            | The API server is in |
|             |                     | charge of all        |
|             |                     | operations on the    |
|             |                     | cluster.             |
+-------------+---------------------+----------------------+
| API Server  | 192.168.1.133:6443  | The API server is in |
|             |                     | charge of all        |
|             |                     | operations on the    |
|             |                     | cluster.             |
+-------------+---------------------+----------------------+

Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+--------------------+----------------------+----------------------+----------------------+----------+
| ID     | LOCATION           | MITRE CATEGORY       | VULNERABILITY        | DESCRIPTION          | EVIDENCE |
+--------+--------------------+----------------------+----------------------+----------------------+----------+
| KHV002 | k8s:6443           | Initial Access //    | K8s Version          | The kubernetes       | v1.23.7  |
|        |                    | Exposed sensitive    | Disclosure           | version could be     |          |
|        |                    | interfaces           |                      | obtained from the    |          |
|        |                    |                      |                      | /version endpoint    |          |
+--------+--------------------+----------------------+----------------------+----------------------+----------+
| KHV002 | 192.168.1.133:6443 | Initial Access //    | K8s Version          | The kubernetes       | v1.23.7  |
|        |                    | Exposed sensitive    | Disclosure           | version could be     |          |
|        |                    | interfaces           |                      | obtained from the    |          |
|        |                    |                      |                      | /version endpoint    |          |
+--------+--------------------+----------------------+----------------------+----------------------+----------+

AFTER

./kube-hunter.py --k8s-auto-discover-nodes --kubeconfig /root/.kube/config
2022-11-11 03:18:23,914 INFO kube_hunter.modules.report.collector Started hunting
2022-11-11 03:18:23,925 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-11-11 03:18:23,971 INFO kube_hunter.modules.discovery.kubernetes_client Listed 1 nodes in the cluster
2022-11-11 03:18:23,975 INFO kube_hunter.modules.report.collector Found open service "Etcd" at 192.168.1.133:2379
2022-11-11 03:18:24,015 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 192.168.1.133:10250
2022-11-11 03:18:24,056 INFO kube_hunter.modules.report.collector Found open service "API Server" at 192.168.1.133:6443
2022-11-11 03:18:24,056 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 192.168.1.133:6443

Nodes
+-------------+---------------+
| TYPE        | LOCATION      |
+-------------+---------------+
| Node/Master | 192.168.1.133 |
+-------------+---------------+

Detected Services
+-------------+---------------------+----------------------+
| SERVICE     | LOCATION            | DESCRIPTION          |
+-------------+---------------------+----------------------+
| Kubelet API | 192.168.1.133:10250 | The Kubelet is the   |
|             |                     | main component in    |
|             |                     | every Node, all pod  |
|             |                     | operations goes      |
|             |                     | through the kubelet  |
+-------------+---------------------+----------------------+
| Etcd        | 192.168.1.133:2379  | Etcd is a DB that    |
|             |                     | stores cluster's     |
|             |                     | data, it contains    |
|             |                     | configuration and    |
|             |                     | current              |
|             |                     |     state            |
|             |                     | information, and     |
|             |                     | might contain        |
|             |                     | secrets              |
+-------------+---------------------+----------------------+
| API Server  | 192.168.1.133:6443  | The API server is in |
|             |                     | charge of all        |
|             |                     | operations on the    |
|             |                     | cluster.             |
+-------------+---------------------+----------------------+

Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+--------------------+----------------------+----------------------+----------------------+----------+
| ID     | LOCATION           | MITRE CATEGORY       | VULNERABILITY        | DESCRIPTION          | EVIDENCE |
+--------+--------------------+----------------------+----------------------+----------------------+----------+
| KHV002 | 192.168.1.133:6443 | Initial Access //    | K8s Version          | The kubernetes       | v1.23.7  |
|        |                    | Exposed sensitive    | Disclosure           | version could be     |          |
|        |                    | interfaces           |                      | obtained from the    |          |
|        |                    |                      |                      | /version endpoint    |          |
+--------+--------------------+----------------------+----------------------+----------------------+----------+

Contribution checklist

  • I have read the Contributing Guidelines.
  • The commits refer to an active issue in the repository.
  • I have added automated testing to cover this case.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Yaney seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@y4ney y4ney closed this by deleting the head repository May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The correct number of nodes in the k8s cluster cannot be listed.
2 participants
@y4ney @CLAassistant