Container security company Aqua Security has released open source kube-hunter to assist DevOps folk in penetration testing their Kubernetes cluster. The tool is expected to increase awareness and visibility of security issues in Kubernetes environments.
It does so by probing a domain or address range for open ports, and searches for configurations that might expose the cluster to attackers. Results are reported back and highlight any concern, so that whoever is responsible for your cluster can start fixing the settings.
kube-hunter can be deployed directly on machine to probe local network infrastructure. There is also a containerized version which works together with the project’s website, and a way to run it in a pod within the cluster, using Kubernetes’ default access settings to get an idea of how exposed your cluster would be if compromised.
The tool offers remote, internal, and network scanning options in active and passive versions. Per default, only passive hunters will be run that probe for access points such as open ports within the cluster. Passive tests include checks for email addresses in Kubernetes SSL certificates, open dashboards and those behind proxies, existence of API servers, Kubelet, and open proxy services, as well as an option to generate IP addresses to scan, based on the cluster and scan type.
If users wish to go a step further to see what can be done with the weaknesses found in passive mode, they can set the active parameter to enable additional testing. Those include trying to retrieve logs from and executing uname inside random containers, extracting the version and building date of Kubernetes when proxies are exposed, and getting the Azure subscription file on the host. Since the active tests are potentially able to change the state of a cluster, they shouldn’t be used carelessly.
And while it could be tempting to use it on other people’s deployments, Aqua Security makes it clear that kube-hunter is intended for testing your own clusters only and may not be used to penetrate, attack, or evaluate third-party systems. Using the tool means agreeing to those conditions, as per the project’s end user license agreement.