#33 Add cascading rule for kube-hunter

J12934 · J12934 · commit ccf2399128f2 · 2020-06-27T22:00:37.000+02:00
diff --git a/scanners/kube-hunter/cascading-rules/remote-kubernetes.yaml b/scanners/kube-hunter/cascading-rules/remote-kubernetes.yaml
@@ -0,0 +1,46 @@
+apiVersion: "cascading.experimental.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "kubernetes-control-plane"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: light
+spec:
+  matches:
+    anyOf:
+      # API Server
+      - category: "Open Port"
+        attributes:
+          port: 6443
+          state: "open"
+      # etcd API
+      - category: "Open Port"
+        attributes:
+          port: 2379
+          state: "open"
+  scanSpec:
+    scanType: "kube-hunter"
+    parameters:
+      - "--remote"
+      - "{{attributes.ip_address}}"
+---
+apiVersion: "cascading.experimental.securecodebox.io/v1"
+kind: CascadingRule
+metadata:
+  name: "kubernetes-node"
+  labels:
+    securecodebox.io/invasive: non-invasive
+    securecodebox.io/intensive: light
+spec:
+  matches:
+    anyOf:
+      # kubelet API
+      - category: "Open Port"
+        attributes:
+          port: 10250
+          state: "open"
+  scanSpec:
+    scanType: "kube-hunter"
+    parameters:
+      - "--remote"
+      - "{{attributes.ip_address}}"
diff --git a/scanners/kube-hunter/templates/cascading-rules.yaml b/scanners/kube-hunter/templates/cascading-rules.yaml
@@ -0,0 +1,8 @@
+# The CascadingRules are not directly in the /templates directory as their curly bracket syntax clashes with helms templates ... :( 
+# We import them as raw files to avoid these clashes as escaping them is even more messy
+{{ range $path, $_ :=  .Files.Glob  "cascading-rules/*" }}
+# Include File
+{{ $.Files.Get $path }}
+# Separate multiple files
+---
+{{ end }}
