Aqua released a free tool called kube-hunter to help with Kubernetes Security. You give it the IP or DNS name of your Kubernetes cluster, and kube-hunter probes for security issues - it’s like automated penetration testing.

Note: this tool is intended for testing your own deployments so you can address any weaknesses. You must not use it to probe clusters you don’t own!

So if your dashboard is open or your kubelets are accessible, kube-hunter can alert you about it.

Running kube-hunter

The kube-hunter code is open source and we’re also providing a containerized version to make it easy to run. The containerized version works in conjunction with our kube-hunter website where it’s easy to view the results and share them with your team.

At the kube-hunter site, enter your email address and you’ll get a Docker command to run that includes a token. Copy that command and run it anywhere you have Docker installed, and you’ll be prompted for the address of the cluster to test against. After the tests run you’ll see a unique URL (associated with that token) for viewing the results, which you can send to anyone else who needs to see the results.

Passive and active hunters

By default kube-hunter will run “passive hunters” only. This is a series of tests that probe for potential access points (like open ports) within your cluster.

You can also turn on “active hunting” with the --active parameter. This enables some additional tests that will attempt to leverage any weaknesses found with the passive hunter. Active hunters are intended to give an indication of what an attacker might be able to do. While we don’t intend for any of these tests to do anything destructive, you should exercise caution as they could potentially change the state of the cluster or the code running within it. As an example, here is an active hunter which attempts to exec into a container and run uname within it.

Pen-test responsibly

I don’t think we can say it too often: you must not use this on other people’s clusters! It would certainly be possible to use this code to attack other sites, but this is not our intention (and it is explicitly forbidden by the terms & conditions you’ll accept if you use the kube-hunter site).

We thought carefully before releasing kube-hunter about the potential use of this by the bad guys; but truth be told they probably already do similar kinds of tests through generic tools (e.g. port scanning). We want to arm Kubernetes administrators, operators and engineers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.

Tests

You’ll find a list of the tests that have been implemented so far on the kube-hunter site or by running kube-hunter with the --list parameter. It is not yet comprehensive, but it does have a good range of hunters that have the potential to uncover many common issues.

Open source tests

The underlying test code (which you can run without using the web site if you prefer) is open source and we would welcome feedback, ideas and contributions for additional hunters!

Co-author and kube-hunter developer: Daniel Sagi