KubeHunterReport¶
The KubeHunterReport is a cluster scoped resource which represents the outcome of running pen tests against your cluster. Currently the data model is the same as kube-hunter's output, but we can make it more generic to onboard third party pen testing tools.
As shown in the following listing there's zero to one instances of KubeHunterReports with hardcoded name cluster
.
Since there's no built-in Kubernetes resource that represents a cluster trivy-operator does not set any owner reference.
apiVersion: aquasecurity.github.io/v1alpha1
kind: KubeHunterReport
metadata:
name: cluster
labels:
trivy-operator.resource.kind: Cluster
trivy-operator.resource.name: cluster
uid: 958ca06b-6393-4e44-a6a6-11ce823c94fe
report:
scanner:
name: kube-hunter
vendor: Aqua Security
version: 0.4.1
summary:
highCount: 0
lowCount: 1
mediumCount: 0
unknownCount: 0
vulnerabilities:
- avd_reference: https://avd.aquasec.com/kube-hunter/none/
category: Access Risk
description: |-
CAP_NET_RAW is enabled by default for pods.
If an attacker manages to compromise a pod,
they could potentially take advantage of this capability to perform network
attacks on other pods running on the same node
evidence: ""
location: Local to Pod (cf63974f-26a4-43f7-9409-44102fc75900-sl7vq)
severity: low
vid: None
vulnerability: CAP_NET_RAW Enabled