Kube-hunter: Aqua’s New Open Source Tool for Hunting Kubernetes Security Issues
In a blog post, technology evangelist Liz Rice likened Kube-hunter to automated penetration testing (pentesting). There’s also a website where you register to receive a token to see and share the results online. The tool also provides suggestions on remediation for a wide range of vulnerabilities.
The source code, written in Python, is available on GitHub.
Kube-hunter can run as a container on any machine outside your cluster — the company warns that it’s only intended to run on clusters you own. Provide the domain name or IP address of the cluster and kube-hunter searches a domain or address range for open Kubernetes-related ports and tests for configuration issues that present exposure to hackers. Run with the host network, it will be able to scrutinize all the interfaces on the host
It also can run on a machine in the cluster. The third option is to run it as a pod within the cluster, where it can report on the exposure risk should one of the application pods be compromised.
Its default state is for passive hunts only, and performs tasks such as searching email for SSL certificates and checking for open ports, proxy service or dashboard. In the active state, a hunter can potentially do state-changing operations on the cluster, which prompts the company to warn users to be very careful about using it. In the active state, Kube-hunter will exploit vulnerabilities it finds to explore for further vulnerabilities.
It offers three options: remote scanning, internal scanning and network scanning. Users will be able to see a list of the tests run, either in passive or active mode and set the level of logging they want to see: Debug, Info (default) or Warning. The mapping option allows users to see only mapping of nodes in the network.
The Kube-hunter webpage lists the vulnerabilities, severity, details of the user environment and URLs that users can share with others in the organization.
Kube-hunter augments another open source project to which Aqua has been contributing: the kube-bench project. It’s a Go application that checks whether Kubernetes is deployed according to best practices defined in the Center for Internet Security benchmark for Kubernetes.
Rice and Justin Cappos, associate professor of computer science and engineering at the New York University’s Tandon School of Engineering, joined TNS founder Alex Williams in a discussion about Kubernetes security recently in an episode of The New Stack Makers taped at KubeCon+CloudNativeCon in Copenhagen.
Aqua Security is a sponsor of The New Stack.