Kube-Hunter - Hunt For Safety Weaknesses Inwards Kubernetes Clusters


Kube-hunter hunts for safety weaknesses inwards Kubernetes clusters. The tool was developed to growth awareness as well as visibility for safety issues inwards Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster yous don't own!
Run kube-hunter: kube-hunter is available equally a container (aquasec/kube-hunter), as well as nosotros also offering a spider web site at kube-hunter.aquasec.com where yous tin register online to have a token allowing yous run across as well as portion the results online. You tin also run the Python code yourself equally described below.
Contribute: We welcome contributions, specially novel hunter modules that perform additional tests. If yous would similar to railroad train your ain modules delight read Guidelines For Developing Your First kube-hunter Module.

Hunting

Where should I run kube-hunter?
Run kube-hunter on whatever auto (including your laptop), conduct Remote scanning as well as give the IP address or domain advert of your Kubernetes cluster. This volition give yous an attackers-eye-view of your Kubernetes setup.
You tin run kube-hunter direct on a auto inwards the cluster, as well as conduct the pick to probe all the local network interfaces.
You tin also run kube-hunter inwards a pod inside the cluster. This gives an indication of how exposed your cluster would endure inwards the lawsuit that ane of your application pods is compromised (through a software vulnerability, for example).

Scanning options
By default, kube-hunter volition opened upwards an interactive session, inwards which yous volition endure able to conduct ane of the next scan options. You tin also specify the scan pick manually from the command line. These are your options:
  1. Remote scanning To specify remote machines for hunting, conduct pick 1 or role the --remote option. Example: ./kube-hunter.py --remote some.node.com
  2. Internal scanning To specify internal scanning, yous tin role the --internal option. (this volition scan all of the machine's network interfaces) Example: ./kube-hunter.py --internal
  3. Network scanning To specify a specific CIDR to scan, role the --cidr option. Example: ./kube-hunter.py --cidr 192.168.0.0/24

Active Hunting
Active hunting is an pick inwards which kube-hunter volition exploit vulnerabilities it finds, inwards guild to explore for farther vulnerabilities. The primary deviation betwixt normal as well as active hunting is that a normal hunt volition never modify dry reason of the cluster, piece active hunting tin potentially produce state-changing operations on the cluster, which could endure harmful.
By default, kube-hunter does non produce active hunting. To active hunt a cluster, role the --active flag. Example: ./kube-hunter.py --remote some.domain.com --active

List of tests
You tin run across the listing of tests alongside the --list option: Example: ./kube-hunter.py --list
To run across active hunting tests equally good equally passive: ./kube-hunter.py --list --active

Output
To command logging, yous tin specify a log level, using the --log option. Example: ./kube-hunter.py --active --log WARNING Available log levels are:
  • DEBUG
  • INFO (default)
  • WARNING
To run across exclusively a mapping of your nodes network, run alongside --mapping option. Example: ./kube-hunter.py --cidr 192.168.0.0/24 --mapping This volition output all the Kubernetes nodes kube-hunter has found.

Deployment
There are 3 methods for deploying kube-hunter:

On Machine
You tin run the kube-hunter python code direct on your machine.

Prerequisites
You volition demand the next installed:
  • python 2.7
  • pip
Clone the repository:
git clone git@github.com:aquasecurity/kube-hunter.git
Install module dependencies:
cd ./kube-hunter pip install -r requirements.txt  In the representative where yous convey python 3.x inwards the path equally your default, as well as python2 refers to a python 2.7 executable, role "python2 -m pip install -r requirements.txt"
Run: ./kube-hunter.py

Container
Aqua Security maintains a containerised version of kube-hunter at aquasec/kube-hunter. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a study that tin endure viewed at kube-hunter.aquasec.com. Please authorities notation that running the aquasec/kube-hunter container as well as uploading reports information are dependent champaign to additional terms as well as conditions.
The Dockerfile inwards this repository allows yous to construct a containerised version without the reporting plugin.
If yous run the kube-hunter container alongside the host network it volition endure able to probe all the interfaces on the host:
docker run -it --rm --network host aquasec/kube-hunter
Note for Docker for Mac/Windows: Be aware that the "host" for Docker for Mac or Windows is the VM which Docker runs containers within. Therefore specifying --network host allows kube-hunter access to the network interfaces of that VM, rather than those of your machine. By default kube-hunter runs inwards interactive mode. You tin also specify the scanning pick alongside the parameters described to a higher house e.g.
docker run --rm aquasec/kube-hunter --cidr 192.168.0.0/24

Pod
This pick lets yous discover what running a malicious container tin do/discover on your cluster. This gives a perspective on what an aggressor could produce if they were able to compromise a pod, peradventure through a software vulnerability. This may bring out significantly to a greater extent than vulnerabilities.
The job.yaml file defines a Job that volition run kube-hunter inwards a pod, using default Kubernetes pod access settings.
  • Run the project alongside kubectl create alongside that yaml file.
  • Find the pod advert alongside kubectl pull project kube-hunter
  • View the examine results alongside kubectl logs