kube-hunter v0.6.8 releases: Hunt for security weaknesses in Kubernetes clusters

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don’t own!

Run kube-hunter: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a website at kube-hunter.aquasec.com where you can register online to receive a token allowing you to see and share the results online. You can also run the Python code yourself as described below.



Where should I run kube-hunter?

Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.

You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.

You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).

Scanning options

By default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options:

  1. Remote scanning To specify remote machines for hunting, select option 1 or use the –remote option. Example:
    ./kube-hunter.py --remote some.node.com
  2. Internal scanning To specify internal scanning, you can use the –internal option. (this will scan all of the machine’s network interfaces) Example:
    ./kube-hunter.py --internal
  3. Network scanning To specify a specific CIDR to scan, use the –cidr option. Example:
    ./kube-hunter.py --cidr

Active Hunting

Active hunting is an option in which Kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change the state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.

By default, Kube-hunter does not do active hunting. To actively hunt a cluster, use the –active flag. Example:

./kube-hunter.py --remote some.domain.com --active

List of tests

You can see the list of tests with the –list option: Example:

./kube-hunter.py --list

To see active hunting tests as well as passive:

./kube-hunter.py --list --active


To control logging, you can specify a log level, using the –log option. Example:

./kube-hunter.py --active --log WARNING 

Available log levels are:

  • INFO (default)

To see only a mapping of your nodes network, run with –mapping option. Example: ./kube-hunter.py –cidr –mapping This will output all the Kubernetes nodes kube-hunter has found.

Changelog v0.6.8

Remove scapy usage (#500)

  • removed arp and dns hunters usage due to it’s violations of the scapy GPL2 license
  • added installation of arp and dns hunters to Dockerfile
  • added explicit new version to plugins in dockerfile installation
  • ignore B020 flake8

Fix: Removed automatic import of handler object (#506)

  • removed automatic import of handler object in events package and renamed handler.py to event_handler.py to solve name collision


Copyright (C) 2018 aquasecurity