2020-05-13 18:09:56,385 INFO kube_hunter.modules.report.collector Started hunting 2020-05-13 18:09:56,385 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2020-05-13 18:09:56,395 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-zm4xp) 2020-05-13 18:09:56,395 INFO kube_hunter.modules.report.collector Found vulnerability "CAP_NET_RAW Enabled" in Local to Pod (kube-hunter-zm4xp) 2020-05-13 18:09:56,403 INFO kube_hunter.modules.report.collector Found vulnerability "Access to pod's secrets" in Local to Pod (kube-hunter-zm4xp) 2020-05-13 18:10:01,809 INFO kube_hunter.modules.report.collector Found open service "Kubelet API" at 10.32.0.1:10250 2020-05-13 18:10:01,840 INFO kube_hunter.modules.report.collector Found open service "Metrics Server" at 10.32.0.1:6443 2020-05-13 18:10:09,246 INFO kube_hunter.modules.report.collector Found open service "API Server" at 10.96.0.1:443 2020-05-13 18:10:09,325 INFO kube_hunter.modules.report.collector Found vulnerability "Access to API using service account token" in 10.96.0.1:443 2020-05-13 18:10:09,353 INFO kube_hunter.modules.report.collector Found vulnerability "K8s Version Disclosure" in 10.96.0.1:443 Nodes +-------------+-----------+ | TYPE | LOCATION | +-------------+-----------+ | Node/Master | 10.96.0.1 | +-------------+-----------+ | Node/Master | 10.32.0.1 | +-------------+-----------+ Detected Services +----------------+-----------------+----------------------+ | SERVICE | LOCATION | DESCRIPTION | +----------------+-----------------+----------------------+ | Metrics Server | 10.32.0.1:6443 | The Metrics server | | | | is in charge of | | | | providing resource | | | | usage metrics for | | | | pods and nodes to | | | | the API server | +----------------+-----------------+----------------------+ | Kubelet API | 10.32.0.1:10250 | The Kubelet is the | | | | main component in | | | | every Node, all pod | | | | operations goes | | | | through the kubelet | +----------------+-----------------+----------------------+ | API Server | 10.96.0.1:443 | The API server is in | | | | charge of all | | | | operations on the | | | | cluster. | +----------------+-----------------+----------------------+ Vulnerabilities For further information about a vulnerability, search its ID in: https://github.com/aquasecurity/kube-hunter/tree/master/docs/_kb +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | ID | LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.96.0.1:443 | Information | Access to API using | The API Server port | b'{"kind":"APIVersio | | | | Disclosure | service account | is accessible. | ns","versions":["v1" | | | | | token | Depending on | ... | | | | | | your RBAC settings | | | | | | | this could expose | | | | | | | access to or control | | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV002 | 10.96.0.1:443 | Information | K8s Version | The kubernetes | v1.18.2 | | | | Disclosure | Disclosure | version could be | | | | | | | obtained from the | | | | | | | /version endpoint | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | CAP_NET_RAW Enabled | CAP_NET_RAW is | | | | hunter-zm4xp) | | | enabled by default | | | | | | | for pods. | | | | | | | If an attacker | | | | | | | manages to | | | | | | | compromise a pod, | | | | | | | they could | | | | | | | potentially take | | | | | | | advantage of this | | | | | | | capability to | | | | | | | perform network | | | | | | | attacks on other | | | | | | | pods running on the | | | | | | | same node | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Access Risk | Access to pod's | Accessing the pod's | ['/var/run/secrets/k | | | hunter-zm4xp) | | secrets | secrets within a | ubernetes.io/service | | | | | | compromised pod | ... | | | | | | might disclose | | | | | | | valuable data to a | | | | | | | potential attacker | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV050 | Local to Pod (kube- | Access Risk | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs | | | hunter-zm4xp) | | service account | service account | ImtpZCI6IkZTZFU2d1VS | | | | | token | token gives an | ... | | | | | | attacker the option | | | | | | | to use the server | | | | | | | API | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+