Kubernetes is the most-used container orchestration system, with countless companies building on and migrating to this popular open-source technology. According to a study done by the Cloud Native Computing Foundation in 2021, 96% of the participants who took part in the survey were either using or evaluated embracing Kubernetes. However, increased use also means teams need to address each type of security risk that may impact the various layers and services within a Kubernetes cluster. 

Kube-hunter is an open-source Kubernetes security tool managed by Aqua Security that allows administrators, operators, and security teams to identify weaknesses in their deployments and resolve those issues before attackers can exploit them.

‍

Table of Contents

• How does Kube-hunter work?
• What kind of tests does Kube-hunter run?
• How to install and run Kube-hunter
• How to interpret Kube-hunter’s test results
• Bonus tip for running Kube-hunter tests
• Conclusion

‍

How Does Kube-hunter Work?

Kube-hunter probes a domain or address range for open Kubernetes-related ports and verifies any configuration issues by conducting a series of tests that scan potential open ports, which can expose your Kubernetes cluster to attacks.

By default, kube-hunter does not run active tests as they could be harmful to your cluster by doing state-changing operations. Instead, these active tests, or "active hunting" as they are commonly referred to, are meant to give an indication of what a hacker might be able to achieve on your cluster.

‍

What Kind of Tests Does Kube-hunter Run?

$ kube-hunter --list --active                                                                                                                                                                                                                                       

Passive Hunters:

----------------

* API Service Discovery

  Checks for the existence of K8s API Services

‍

* K8s Dashboard Discovery

  Checks for the existence of a Dashboard

‍

* Etcd service

  check for the existence of etcd service

‍

* Host Discovery when running as pod

  Generates ip adresses to scan, based on cluster/scan type

‍

* Host Discovery

  Generates ip adresses to scan, based on cluster/scan type

‍

* Kubectl Client Discovery

  Checks for the existence of a local kubectl client

‍

* Kubelet Discovery

  Checks for the existence of a Kubelet service, and its open ports

‍

* Port Scanning

  Scans Kubernetes known ports to determine open endpoints for discovery

‍

* Proxy Discovery

  Checks for the existence of a an open Proxy service

‍

* Kubelet Readonly Ports Hunter

  Hunts specific endpoints on open ports in the readonly Kubelet server

‍

* Kubelet Secure Ports Hunter

  Hunts specific endpoints on an open secured Kubelet

‍

* AKS Hunting

  Hunting Azure cluster deployments using specific known configurations

‍

* API Server Hunter

  Checks if API server is accessible

‍

* API Server Hunter

  Accessing the API server using the service account token obtained from a compromised pod

‍

* Api Version Hunter

  Tries to obtain the Api Server's version directly from /version endpoint

‍

* Pod Capabilities Hunter

  Checks for default enabled capabilities in a pod

‍

* Certificate Email Hunting

  Checks for email addresses in kubernetes ssl certificates

‍

* K8s CVE Hunter

  Checks if Node is running a Kubernetes version vulnerable to specific important CVEs

‍

* Kubectl CVE Hunter

  Checks if the kubectl client is vulnerable to specific important CVEs

‍

* Dashboard Hunting

  Hunts open Dashboards, gets the type of nodes in the cluster

‍

* Etcd Remote Access

  Checks for remote availability of etcd, its version, and read access to the DB

‍

* Mount Hunter - /var/log

  Hunt pods that have write access to host's /var/log. in such case, the pod can traverse read files on the host machine

‍

* Proxy Hunting

  Hunts for a dashboard behind the proxy

‍

* Access Secrets

  Accessing the secrets accessible to the pod

‍

Active Hunters:

---------------

* Foothold Via Secure Kubelet Port

  Attempts to demonstrate that a malicious actor can establish foothold into the cluster via a container abusing the configuration of the kubelet's secure port: authentication-auth=false.

‍

* Malicious Intent Via Secure Kubelet Port

  Attempts to demonstrate that a malicious actor can leverage existing privileged containers exposed via the kubelet's secure port, due to anonymous auth enabled misconfiguration, such that a process can be started or modified on the host.

‍

* Kubelet Run Hunter

  Executes uname inside of a random container

‍

* Kubelet Container Logs Hunter

  Retrieves logs from a random container

‍

* Kubelet System Logs Hunter

  Retrieves commands from host's system audit

‍

* Azure SPN Hunter

  Gets the azure subscription file on the host by executing inside a container

‍

* API server hunter

  Accessing the api server might grant an attacker full control over the cluster

‍

* Arp Spoof Hunter

  Checks for the possibility of running an ARP spoof attack from within a pod (results are based on the running node)

‍

* DNS Spoof Hunter

  Checks for the possibility for a malicious pod to compromise DNS requests of the cluster (results are based on the running node)

‍

* Etcd Remote Access

  Checks for remote write access to etcd, will attempt to add a new key to the etcd DB

‍

* Prove /var/log Mount Hunter

  Tries to read /etc/shadow on the host by running commands inside a pod with host mount to /var/log

‍

* Build Date Hunter

  Hunts when proxy is exposed, extracts the build date of kubernetes

‍

* K8s Version Hunter

  Hunts Proxy when exposed, extracts the version

‍

How to Install and Run Kube-hunter

CLI

Aqua Security provides a Python package you can install with pip on your machine. Make sure that you have Python 3 and pip installed then simply run:

   
pip install kube-hunter
   

To run Kube-hunter, you will be prompted to choose one of the 3 scanning options:

   
Choose one of the options below:
1. Remote scanning      (scans one or more specific IPs or DNS names)
2. Interface scanning   (scans subnets on all local network interfaces)
3. IP range scanning    (scans a given IP range)
   

By default, the results will be dispatched to stdout but you can use http. For instance, to configure http to dispatch the outputs , set the following environment variables:

‍

• KUBEHUNTER_HTTP_DISPATCH_URL (defaults to https://localhost)
• KUBEHUNTER_HTTP_DISPATCH_METHOD (defaults to: POST)

‍

Docker Container

You may also run Kube-hunter through a container. It's a great option if you want to get a nicer output to review the results on a Web UI. Simply run this command:

   
docker run -it --rm --network host aquasec/kube-hunter
   

Once you run that docker command, it will spin up a container and run the CLI inside that container. You will see a public URL that is associated with the unique token they provide to review the results.

   
Report will be available at:
+----------------------------+
| https://kube-hunter.aquasec.com/report.html?token=ABC123.ABC123 |
+----------------------------+
   

The screenshot above is based on testing a Minikube cluster.

Pod

This is the option you need to follow if the external IP of your nodes isn't accessible from where you are running Kube-hunter.

   
apiVersion: batch/v1
kind: Job
metadata:
  name: kube-hunter
spec:
  template:
    spec:
      containers:
        - name: kube-hunter
          image: aquasec/kube-hunter
          command: ["kube-hunter"]
          args: ["--pod"]
      restartPolicy: Never
  backoffLimit: 4
   

‍

How to Interpret Kube-hunter’s Configuration Test Results

This is an example of the kind of results that you will get. To better understand them and the suggested fix for each vulnerability, copy-paste the vulnerability ID provided in the results to https://avd.aquasec.com/

Example with KHV002:

‍

Bonus Tip for Running Kube-hunter Tests

If you feel like there aren't enough tests, we highly recommend that you develop your own modules and the good news is that Aqua Security has a contribution guideline to help you out.

‍

Conclusion

Kube-hunter is an amazing Kubernetes penetration testing tool. Essentially, you can run Kube-hunter on any machine (including your laptop), select Remote scanning, and give the IP address or domain name of your Kubernetes cluster. This will give you an attacker's eye-view of your Kubernetes setup. With the widespread use and reliance on Kubernetes, we believe it is necessary to ensure your cluster isn't at risk of any security issues.

You may also be interested in:

Pulumi vs Terraform: Comparing Similarities and Differences

How to Migrate Persistent Volumes on Kubernetes Easily

Docker Compose vs Kubernetes: The Top 4 Main Differences

Best CI/CD Tools for DevOps: A Review of the Top 10

Single-Cloud vs Multi-Cloud: 7 Key Differences

Why You Need a DevOps Consultant

How to Run a Docker Container on the Cloud: Top 5 CaaS Solutions