Kube-Hunter – Hunt For Security Weaknesses In Kubernetes Clusters

Kube-Hunter - Hunt For Security Weaknesses In Kubernetes Clusters

Kube-hunter hunts for safety weaknesses in Kubernetes clusters. The device was developed to extend consciousness and visibility for safety points in Kubernetes environments. You ought to NOT run kube-hunter on a Kubernetes cluster you do not personal!
Run kube-hunter: kube-hunter is accessible as a container (aquasec/kube-hunter), and we additionally provide a website at kube-hunter.aquasec.com the place you’ll be able to register on-line to obtain a token permitting you see and share the outcomes on-line. You can even run the Python code your self as described beneath.


Where ought to I run kube-hunter?
Run kube-hunter on any machine (together with your laptop computer), choose Remote scanning and provides the IP handle or area identify of your Kubernetes cluster. This provides you with an attackers-eye-view of your Kubernetes setup.
You can run kube-hunter immediately on a machine within the cluster, and choose the choice to probe all of the native community interfaces.
You can even run kube-hunter in a pod inside the cluster. This offers a sign of how uncovered your cluster can be within the occasion that one among your utility pods is compromised (by means of a software program vulnerability, for instance).

Scanning choices
By default, kube-hunter will open an interactive session, through which it is possible for you to to pick out one of many following scan choices. You can even specify the scan choice manually from the command line. These are your choices:

  1. Remote scanning To specify distant machines for looking, choose choice 1 or use the --remote choice. Example: ./kube-hunter.py --remote some.node.com
  2. Internal scanning To specify inner scanning, you need to use the --internal choice. (this can scan the entire machine’s community interfaces) Example: ./kube-hunter.py --internal
  3. Network scanning To specify a selected CIDR to scan, use the --cidr choice. Example: ./kube-hunter.py --cidr

Active Hunting
Active looking is an choice through which kube-hunter will exploit
vulnerabilities it finds, with a view to probe for additional vulnerabilities. The primary distinction between regular and lively looking is {that a} regular hunt won’t ever change state of the cluster, whereas lively looking can probably do state-altering operations on the cluster, which could possibly be dangerous.
By default, kube-hunter doesn’t do lively looking. To lively hunt a cluster, use the --active flag. Example: ./kube-hunter.py --remote some.area.com --active

List of exams
You can see the listing of exams with the --list choice: Example: ./kube-hunter.py --list
To see lively looking exams in addition to passive: ./kube-hunter.py --list --active

To management logging, you’ll be able to specify a log stage, utilizing the --log choice. Example: ./kube-hunter.py --active --log WARNING Available log ranges are:

  • INFO (default)

To see solely a mapping of your nodes community, run with --mapping choice. Example: ./kube-hunter.py --cidr --mapping This will output all of the Kubernetes nodes kube-hunter has discovered.

There are three strategies for deploying kube-hunter:

On Machine
You can run the kube-hunter python code immediately in your machine.

You will want the next put in:

Clone the repository:

git clone [email protected]:aquasecurity/kube-hunter.git

Install module dependencies:

cd ./kube-hunter
pip set up -r necessities.txt

In the case the place you've gotten python 3.x within the path as your default, and python2 refers to a python 2.7 executable, use "python2 -m pip install -r requirements.txt"

Run: ./kube-hunter.py

Aqua Security maintains a containerised model of kube-hunter at aquasec/kube-hunter. This container consists of this supply code, plus a further (closed supply) reporting plugin for importing outcomes right into a report that may be seen at kube-hunter.aquasec.com. Please observe that operating the aquasec/kube-hunter container and importing studies information are topic to further terms and conditions.
The Dockerfile on this repository permits you to construct a containerised model with out the reporting plugin.
If you run the kube-hunter container with the host community will probably be capable of probe all of the interfaces on the host:
docker run -it --rm --network host aquasec/kube-hunter
Note for Docker for Mac/Windows: Be conscious that the “host” for Docker for Mac or Windows is the VM which Docker runs containers inside. Therefore specifying --network host permits kube-hunter entry to the community interfaces of that VM, reasonably than these of your machine. By default kube-hunter runs in interactive mode. You can even specify the scanning choice with the parameters described above e.g.
docker run --rm aquasec/kube-hunter --cidr

This choice permits you to discover what operating a malicious container can do/uncover in your cluster. This offers a perspective on what an attacker may do in the event that they have been capable of compromise a pod, maybe by means of a software program vulnerability. This might reveal considerably extra vulnerabilities.
The job.yaml file defines a Job that can run kube-hunter in a pod, utilizing default Kubernetes pod entry settings.

  • Run the job with kubectl create with that yaml file.
  • Find the pod identify with kubectl describe job kube-hunter
  • View the take a look at outcomes with kubectl logs <pod identify>



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.