Skip to content
/ kube-hunter Public
forked from aquasecurity/kube-hunter

Hunt for security weaknesses in Kubernetes clusters

License

Apache-2.0 license
0 stars 589 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

flarno11/kube-hunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
report
report
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
kube-hunter.py
kube-hunter.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Kube Hunter

Kube Hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments.

Developers, please read Guidelines For Developing Your First Kube Hunter Module TODO

Hunting

By default, without any special flags, Kube Hunter will scan all of your machine's network interfaces for open Kubernetes services.

To specify a specific cidr to scan, use the --cidr option. Example:
./kube-hunter.py --cidr 192.168.0.0/24

To specify remote machines for hunting, you can use the --remote option. Example:
./kube-hunter.py --remote some.node.com

Active Hunting

Active hunting is an option in which Kube Hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing and harmful operations on the cluster. When active, evidence of vulnerabilities will be added to the final report. To active hunt a cluster, use the --active flag. Example:
./kube-hunter.py --remote some.domain.com --active

Output

To control logging, you can specify a log level, using the --log option. Example:
./kube-hunter.py --active --log WARNING
Available log levels are:

DEBUG
INFO (default)
WARNING

--
To see only a mapping of your nodes network, run with --mapping option. Example:
./kube-hunter.py --cidr 192.168.0.0/24 --mapping
This will output all the Kubernetes nodes Kube Hunter has found.

Deployment

There are three methods for deploying Kube Hunter:

On Machine

Installation

Requirements:
  • python 2.7
  • pip

Installing modules:

cd ./kube-hunter
pip install -r requirements.txt

Running:
./kube-hunter.py

Container

To run Kube Hunter as a container:

Linux:
docker run --rm --network host aquasec/kube-hunter
Windows/Mac:
docker run --rm aquasec/kube-hunter --cidr 192.168.0.0/24

Note for Docker for Mac/Windows: You'll need to specify the CIDR because of the VM that Docker for Mac/Windows runs in.

Pod

This option lets you discover what running a malicious container can do/discover on your cluster.
Kube Hunter will scan your cluster from the inside, using default Kubernetes pod access settings. This may reveal significantly more vulnerabilities. To run Kube Hunter as a pod, kubectl create the following yaml file.

---
apiVersion: v1
kind: Pod
metadata:
  name: kube-hunter
spec:
  containers:
  - name: kube-hunter
    image: aquasec/kube-hunter
    command: ["python", "kube-hunter.py"]
    args: ["--pod"]
  restartPolicy: Never   # for Kube Hunter to hunt once

About

Hunt for security weaknesses in Kubernetes clusters

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.7%
  • Dockerfile 0.3%