kube-hunter is an open-source tool that hunts for security issues in your Kubernetes clusters. It’s designed to increase awareness and visibility of the security controls in Kubernetes environments.

To gain access to enhanced kube-hunter UI and reports, enter your email below:

How does kube-hunter work?

From outside the cluster, kube-hunter probes a domain or address range for open Kubernetes-related ports, and tests for any configuration issues that leave your cluster exposed to attackers. You’ll get a full report that highlights these security concerns. The source code is available on GitHub and we welcome contributions to extend the set of tests.

Where does kube-hunter run?

Start by running kube-hunter as a container on any machine outside your cluster, and when prompted, give it the domain name or IP address of the cluster. This gives an attackers-eye-view of your Kubernetes setup.

You can run kube-hunter on a machine in the cluster, and select the option to probe all the local network interfaces.

You can also run kube-hunter as a pod within the cluster. The report will give you an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).

What tests does kube-hunter run?

Kube-hunter tests are classified into “passive” and “active”, and by default kube-hunter only runs passive tests (or “hunters”).

A passive hunter will never change the state of the cluster, while an active hunter can potentially do state-changing operations on the cluster, which could be harmful. If you want to also run the active hunters you need to specify –active when running the command.

Here’s the set of currently implemented tests in kube-hunter. If you have ideas for additional tests we would love you to suggest them through issues or even pull requests in the kube-hunter GitHub repo

Passive Tests

  • Certificate Email Hunting

    Checks for email addresses in kubernetes ssl certificates

  • Proxy Hunting

    Hunts for a dashboard behind the proxy

  • Dashboard Hunting

    Hunts open Dashboards, gets the type of nodes in the cluster

  • API Server Discovery

    Checks for the existence of a an API Server

  • Kubelet Readonly Ports Hunter

    Hunts specific endpoints on open ports in the readonly Kubelet server

  • Port Scanning

    Scans Kubernetes known ports to determine open endpoints for discovery

  • AKS Hunting

    Hunting Azure cluster deployments using specific known configurations

  • K8s Dashboard Discovery

    Checks for the existence of a Dashboard

  • Proxy Discovery

    Checks for the existence of a an open Proxy service

  • Host Discovery

    Generates ip adresses to scan, based on cluster/scan type

  • Kubelet Discovery

    Checks for the existence of a Kubelet service, and its open ports

  • Kubelet Secure Ports Hunter

    Hunts specific endpoints on an open secured Kubelet

  • Remote Etcd Unauthorized Read Access Hunter

    Hunts for an accessible etcd read access

Active Tests

  • Kubelet Container Logs Hunter

    Retrieves logs from a random container

  • K8s Version Hunter

    Hunts Proxy when exposed, extracts the version

  • Kubelet Run Hunter

    Executes uname inside of a random container

  • Build Date Hunter

    Hunts when proxy is exposed, extracts the build date of kubernetes

  • Azure SPN Hunter

    Gets the azure subscription file on the host by executing inside a container

  • Remote Etcd Unauthorized Write Access Hunter

    Hunts for an accessible etcd write access, will attempt to write new keys