Kube-hunter

[Rachelle Kun]

Runkube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.

You can also run kube-hunter in a pod within the cluster. This gives an indication of how exposed your cluster would be in the event that one of your application pods is compromised (through a software vulnerability, for example).

By default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options:

Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, in order to explore for further vulnerabilities.The main difference between normal and active hunting is that a normal hunt will never change state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.

By default, the report will be dispatched to stdout, but you can specify different methods, by using the --dispatch option. Example:./kube-hunter.py --report json --dispatch httpAvailable dispatch methods are:

Aqua Security maintains a containerised version of kube-hunter at aquasec/kube-hunter. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a report that can be viewed at kube-hunter.aquasec.com. Please note that running the aquasec/kube-hunter container and uploading reports data are subject to additional terms and conditions.

This option lets you discover what running a malicious container can do/discover on your cluster. This gives a perspective on what an attacker could do if they were able to compromise a pod, perhaps through a software vulnerability. This may reveal significantly more vulnerabilities.

Aqua Security has been actively participating in the open source community around Kubernetes security, including contributing significantly to the kube-bench project. We have followed that up with the release of the kube-hunter project, named for its ability to hunt for security weaknesses in Kubernetes clusters. Kube-hunter enables Kubernetes administrators, operators and security teams to identify weaknesses in their deployments and address those issues before attackers can exploit them.

Kubernetes is the most-used container orchestration system, with countless companies building on and migrating to this popular open-source technology. According to a study done by the Cloud Native Computing Foundation in 2021, 96% of the participants who took part in the survey were either using or evaluated embracing Kubernetes. However, increased use also means teams need to address each type of security risk that may impact the various layers and services within a Kubernetes cluster.

Kube-hunter is an open-source Kubernetes security tool managed by Aqua Security that allows administrators, operators, and security teams to identify weaknesses in their deployments and resolve those issues before attackers can exploit them.

Kube-hunter probes a domain or address range for open Kubernetes-related ports and verifies any configuration issues by conducting a series of tests that scan potential open ports, which can expose your Kubernetes cluster to attacks.

By default, kube-hunter does not run active tests as they could be harmful to your cluster by doing state-changing operations. Instead, these active tests, or "active hunting" as they are commonly referred to, are meant to give an indication of what a hacker might be able to achieve on your cluster.

Attempts to demonstrate that a malicious actor can leverage existing privileged containers exposed via the kubelet's secure port, due to anonymous auth enabled misconfiguration, such that a process can be started or modified on the host.

Once you run that docker command, it will spin up a container and run the CLI inside that container. You will see a public URL that is associated with the unique token they provide to review the results.

Kube-hunter is an amazing Kubernetes penetration testing tool. Essentially, you can run Kube-hunter on any machine (including your laptop), select Remote scanning, and give the IP address or domain name of your Kubernetes cluster. This will give you an attacker's eye-view of your Kubernetes setup. With the widespread use and reliance on Kubernetes, we believe it is necessary to ensure your cluster isn't at risk of any security issues.

We thought carefully before releasing kube-hunter about the potential use of this by the bad guys; but truth be told they probably already do similar kinds of tests through generic tools (e.g. port scanning). We want to arm Kubernetes administrators, operators and engineers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.

Kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster you don't own!

In a nutshell, Kubernetes is a container orchestration tool and Docker is a containerization platform. Some of the most famous Kubernetes clusters managed by cloud providers include AWS EKS, Azure AKS, and Google CKE.

Dockerfile is a plain text file that contains a set of instructions that provides the specifications for creating a Docker image. Additionally, containers are the running instances of Docker images and Kubernetes supports Docker runtime.

Clair is an open source vulnerability static scanning tool for containers. The tool has multiple deployment modes and is best suited for high scalability and availability. Clair supports REST APIs and provides HTML scan reports. The Amazon Elastic Container Registry (Amazon ECR) uses the CVEs database from the Clair project and provides a list of findings.

In most situations, the best solution for resolving vulnerabilities reported by Clair is to either update the underlying operating system with the built-in package manager or to update to the latest version of your Docker images. If the volume of vulnerable packages is too much to manage, consider using a distroless base image.

In order to improve the security posture of Kubernetes, you need to regularly audit your deployment and perform security scans on the setup as per security benchmarks. This section is all about auditing and securing your Kubernetes clusters using various open source tools.

Kube-bench is an open source tool that checks if Kubernetes is deployed optimally according to the CIS Kubernetes Benchmark, which contains a set of Kubernetes security best practices. As such, kube-bench is best when required to scan only for CIS benchmarking purposes.

You can run kube-bench inside a pod. The GitHub repository contains cloud-specific job-.yaml files, and kube-bench will automatically determine which test set to run based on the Kubernetes version running on the machine.

Kubescape is an open source tool that checks if Kubernetes is deployed in accordance with almost all major compliance frameworks, including the NSA-CISA and MITRE ATT&CK, as well as DevSecOps best practices. Kubescape can also be integrated with CI tools.

Written in Python, kube-hunter is an open source penetration testing tool that enables you to write custom modules that can be executed from local machines, inside the cluster, and remotely in both active and passive mode.

Sysdig Falco is an open source runtime security solution used for continuous risk and threat detection across Kubernetes clusters. The tool acts as a security camera that continuously detects unexpected behavior, configuration changes, intrusions, and data theft in real time. Currently, Sysdig Falco is the only CNCF-approved open source solution for Kubernetes runtime security.

This blog post was created as part of the Mattermost Community Writing Program and is published under the CC BY-NC-SA 4.0 license. To learn more about the Mattermost Community Writing Program, check this out.

Raushan is a Lead Engineer at an AgriTech company. He has 8 years of experience in Information Security, Compliance, and Sofware Development. He's also an open source enthusiast and contributes to OWASP OSSAP. In his free time, he likes to work with GoogleVRP.

As Kubernetes is growing in popularity, the entry threshold draws ever lower. Sadly, security issues are still present, however. This article discusses two Open Source tools for auditing cluster security by renowned experts in this field, Aqua Security.

kube-bench is a Go application that checks whether a Kubernetes cluster meets the CIS Kubernetes Benchmark guidelines. The project boasts a rich history (it was started on GitHub back in 2017) and has many loyal followers (as its 4500 stars can attest).

Furthermore, there is also a ready-made manifest for running kube-bench in a cluster. In this case, two instances of kube-bench (each with its own set of input parameters) must be run to render the testing valid: one on the master node and another on the worker node. However, the manifest provided by the developers only performs a small subset of the available tests.

The tool works out of the box, so there is no need to configure it. You can disable the unnecessary tests or add your own by modifying configuration files in the ./cfg/ directory. In our case, according to the documentation, the CIS 1.20 configuration was used when we ran tests in the Kubernetes 1.19 cluster.

For instance, for 4.2.6, kube-bench suggests passing the --protect-kernel-defaults=true flag to the kubelet when starting. However, you should keep in mind that once this flag is activated, the kubelet will no longer be able to make changes to sysctl. This will result in it becoming dysfunctional until you manually correct the inconsistencies.

As a provisional conclusion regarding kube-bench, I would like to laud its easy and flexible operation, its extensive support and periodic updates, its wide range of checks, and clear recommendations on what to do to make your cluster secure. However, I would like to reiterate the dangers of mindlessly following the recommendations.

3a8082e126