How to Install and Run Kube-hunter: The Complete Guide

Kubernetes is the most-used container orchestration system, with countless companies building on and migrating to this popular open-source technology. According to a study done by the Cloud Native Computing Foundation in 2021, 96% of the participants who took part in the survey were either using or evaluated embracing Kubernetes. However, increased use also means teams need to address each type of security risk that may impact the various layers and services within a Kubernetes cluster.

Kube-hunter is an open-source Kubernetes security tool managed by Aqua Security that allows administrators, operators, and security teams to identify weaknesses in their deployments and resolve those issues before attackers can exploit them.

‍

How does Kube-hunter work?
What kind of tests does Kube-hunter run?
How to install and run Kube-hunter
How to interpret Kube-hunter’s test results
Bonus tip for running Kube-hunter tests
Conclusion

‍

How Does Kube-hunter Work?

Kube-hunter probes a domain or address range for open Kubernetes-related ports and verifies any configuration issues by conducting a series of tests that scan potential open ports, which can expose your Kubernetes cluster to attacks.

By default, kube-hunter does not run active tests as they could be harmful to your cluster by doing state-changing operations. Instead, these active tests, or "active hunting" as they are commonly referred to, are meant to give an indication of what a hacker might be able to achieve on your cluster.

‍

What Kind of Tests Does Kube-hunter Run?

$ kube-hunter --list --active

Passive Hunters:

----------------

* API Service Discovery

Checks for the existence of K8s API Services

‍

* K8s Dashboard Discovery

Checks for the existence of a Dashboard

‍

* Etcd service

check for the existence of etcd service

‍

* Host Discovery when running as pod

Generates ip adresses to scan, based on cluster/scan type

‍

* Host Discovery

Generates ip adresses to scan, based on cluster/scan type

‍

* Kubectl Client Discovery

Checks for the existence of a local kubectl client

‍

* Kubelet Discovery

Checks for the existence of a Kubelet service, and its open ports

‍

* Port Scanning

Scans Kubernetes known ports to determine open endpoints for discovery

‍

* Proxy Discovery

Checks for the existence of a an open Proxy service

‍

* Kubelet Readonly Ports Hunter

Hunts specific endpoints on open ports in the readonly Kubelet server

‍

* Kubelet Secure Ports Hunter

Hunts specific endpoints on an open secured Kubelet

‍

* AKS Hunting

Hunting Azure cluster deployments using specific known configurations

‍

* API Server Hunter

Checks if API server is accessible

‍

* API Server Hunter

Accessing the API server using the service account token obtained from a compromised pod

‍

* Api Version Hunter

Tries to obtain the Api Server's version directly from /version endpoint

‍

* Pod Capabilities Hunter

Checks for default enabled capabilities in a pod

‍

* Certificate Email Hunting

Checks for email addresses in kubernetes ssl certificates

‍

* K8s CVE Hunter

Checks if Node is running a Kubernetes version vulnerable to specific important CVEs

‍

* Kubectl CVE Hunter

Checks if the kubectl client is vulnerable to specific important CVEs

‍

* Dashboard Hunting

Hunts open Dashboards, gets the type of nodes in the cluster

‍

* Etcd Remote Access

Checks for remote availability of etcd, its version, and read access to the DB

‍

* Mount Hunter - /var/log

Hunt pods that have write access to host's /var/log. in such case, the pod can traverse read files on the host machine

‍

* Proxy Hunting

Hunts for a dashboard behind the proxy

‍

* Access Secrets

Accessing the secrets accessible to the pod

‍

Active Hunters:

---------------

* Foothold Via Secure Kubelet Port

Attempts to demonstrate that a malicious actor can establish foothold into the cluster via a container abusing the configuration of the kubelet's secure port: authentication-auth=false.

‍

* Malicious Intent Via Secure Kubelet Port

Attempts to demonstrate that a malicious actor can leverage existing privileged containers exposed via the kubelet's secure port, due to anonymous auth enabled misconfiguration, such that a process can be started or modified on the host.

‍

* Kubelet Run Hunter

Executes uname inside of a random container

‍

* Kubelet Container Logs Hunter

Retrieves logs from a random container

‍

* Kubelet System Logs Hunter

Retrieves commands from host's system audit

‍

* Azure SPN Hunter

Gets the azure subscription file on the host by executing inside a container

‍

* API server hunter

Accessing the api server might grant an attacker full control over the cluster

‍

* Arp Spoof Hunter

Checks for the possibility of running an ARP spoof attack from within a pod (results are based on the running node)

‍

* DNS Spoof Hunter

Checks for the possibility for a malicious pod to compromise DNS requests of the cluster (results are based on the running node)

‍

* Etcd Remote Access

Checks for remote write access to etcd, will attempt to add a new key to the etcd DB

‍

* Prove /var/log Mount Hunter

Tries to read /etc/shadow on the host by running commands inside a pod with host mount to /var/log

‍

* Build Date Hunter

Hunts when proxy is exposed, extracts the build date of kubernetes

‍

* K8s Version Hunter

Hunts Proxy when exposed, extracts the version

‍

How to Install and Run Kube-hunter

CLI

Aqua Security provides a Python package you can install with pip on your machine. Make sure that you have Python 3 and pip installed then simply run:

   
pip install kube-hunter

To run Kube-hunter, you will be prompted to choose one of the 3 scanning options:

   
Choose one of the options below:
1. Remote scanning      (scans one or more specific IPs or DNS names)
2. Interface scanning   (scans subnets on all local network interfaces)
3. IP range scanning    (scans a given IP range)

By default, the results will be dispatched to stdout but you can use http. For instance, to configure http to dispatch the outputs , set the following environment variables:

‍

KUBEHUNTER_HTTP_DISPATCH_URL (defaults to https://localhost)
KUBEHUNTER_HTTP_DISPATCH_METHOD (defaults to: POST)

‍

Docker Container

You may also run Kube-hunter through a container. It's a great option if you want to get a nicer output to review the results on a Web UI. Simply run this command:

   
docker run -it --rm --network host aquasec/kube-hunter

Once you run that docker command, it will spin up a container and run the CLI inside that container. You will see a public URL that is associated with the unique token they provide to review the results.

   
Report will be available at:
+----------------------------+
| https://kube-hunter.aquasec.com/report.html?token=ABC123.ABC123 |
+----------------------------+

Kube-hunter Vulnerability Test Results for a MiniKube Cluster

The screenshot above is based on testing a Minikube cluster.

Pod

This is the option you need to follow if the external IP of your nodes isn't accessible from where you are running Kube-hunter.

   
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-hunter
spec:
  template:
    spec:
      containers:
        - name: kube-hunter
          image: aquasec/kube-hunter
          command: ["kube-hunter"]
          args: ["--pod"]
      restartPolicy: Never
  backoffLimit: 4

‍

How to Interpret Kube-hunter’s Configuration Test Results

Kube-hunter Configuration Test Results Interface

This is an example of the kind of results that you will get. To better understand them and the suggested fix for each vulnerability, copy-paste the vulnerability ID provided in the results to https://avd.aquasec.com/

Example with KHV002:

Kube-Hunter Vulnerability Fixes Interface

‍

Bonus Tip for Running Kube-hunter Tests

If you feel like there aren't enough tests, we highly recommend that you develop your own modules and the good news is that Aqua Security has a contribution guideline to help you out.

‍

Conclusion

Kube-hunter is an amazing Kubernetes penetration testing tool. Essentially, you can run Kube-hunter on any machine (including your laptop), select Remote scanning, and give the IP address or domain name of your Kubernetes cluster. This will give you an attacker's eye-view of your Kubernetes setup. With the widespread use and reliance on Kubernetes, we believe it is necessary to ensure your cluster isn't at risk of any security issues.

Blog