From outside the cluster, kube-hunter probes a domain or address range for open Kubernetes-related ports, and tests for any configuration issues that leave your cluster exposed to attackers. You’ll get a full report that highlights these security concerns. The source code is available on GitHub and we welcome contributions to extend the set of tests.
Start by running kube-hunter as a container on any machine outside your cluster, and when prompted, give it the domain name or IP address of the cluster. This gives an attackers-eye-view of your Kubernetes setup.
You can run kube-hunter on a machine in the cluster, and select the option to probe all the local network interfaces.
You can also run kube-hunter as a pod within the cluster. The report will give you an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).
Kube-hunter tests are classified into “passive” and “active”, and by default kube-hunter only runs passive tests (or “hunters”).
A passive hunter will never change the state of the cluster, while an active hunter can potentially do state-changing operations on the cluster, which could be harmful. If you want to also run the active hunters you need to specify –active when running the command.
Here’s the set of currently implemented tests in kube-hunter. If you have ideas for additional tests we would love you to suggest them through issues or even pull requests in the kube-hunter GitHub repo
Checks for email addresses in kubernetes ssl certificates
Hunts for a dashboard behind the proxy
Hunts open Dashboards, gets the type of nodes in the cluster
Checks for the existence of a an API Server
Hunts specific endpoints on open ports in the readonly Kubelet server
Scans Kubernetes known ports to determine open endpoints for discovery
Hunting Azure cluster deployments using specific known configurations
Checks for the existence of a Dashboard
Checks for the existence of a an open Proxy service
Generates ip adresses to scan, based on cluster/scan type
Checks for the existence of a Kubelet service, and its open ports
Hunts specific endpoints on an open secured Kubelet
Hunts for an accessible etcd read access
Retrieves logs from a random container
Hunts Proxy when exposed, extracts the version
Executes uname inside of a random container
Hunts when proxy is exposed, extracts the build date of kubernetes
Gets the azure subscription file on the host by executing inside a container
Hunts for an accessible etcd write access, will attempt to write new keys