• Stars
    star
    4,709
  • Rank 8,985 (Top 0.2 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Hunt for security weaknesses in Kubernetes clusters

kube-hunter

GitHub Release Downloads Docker Pulls Build Status codecov Code style: black License Docker image

kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!

Run kube-hunter: kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you to see and share the results online. You can also run the Python code yourself as described below.

Explore vulnerabilities: The kube-hunter knowledge base includes articles about discoverable vulnerabilities and issues. When kube-hunter reports an issue, it will show its VID (Vulnerability ID) so you can look it up in the KB at https://aquasecurity.github.io/kube-hunter/
If you're interested in kube-hunter's integration with the Kubernetes ATT&CK Matrix Continue Reading

Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your modules please read Guidelines For Developing Your First kube-hunter Module.

kube-hunter demo video

Table of Contents


Kubernetes ATT&CK Matrix

kube-hunter now supports the new format of the Kubernetes ATT&CK matrix. While kube-hunter's vulnerabilities are a collection of creative techniques designed to mimic an attacker in the cluster (or outside it) The Mitre's ATT&CK defines a more general standardised categories of techniques to do so.

You can think of kube-hunter vulnerabilities as small steps for an attacker, which follows the track of a more general technique he would aim for. Most of kube-hunter's hunters and vulnerabilities can closly fall under those techniques, That's why we moved to follow the Matrix standard.

Some kube-hunter vulnerabities which we could not map to Mitre technique, are prefixed with the General keyword kube-hunter

Hunting

Where should I run kube-hunter?

There are three different ways to run kube-hunter, each providing a different approach to detecting weaknesses in your cluster:

Run kube-hunter on any machine (including your laptop), select Remote scanning and give the IP address or domain name of your Kubernetes cluster. This will give you an attackers-eye-view of your Kubernetes setup.

You can run kube-hunter directly on a machine in the cluster, and select the option to probe all the local network interfaces.

You can also run kube-hunter in a pod within the cluster. This indicates how exposed your cluster would be if one of your application pods is compromised (through a software vulnerability, for example). (--pod flag)

Scanning options

First check for these pre-requisites.

By default, kube-hunter will open an interactive session, in which you will be able to select one of the following scan options. You can also specify the scan option manually from the command line. These are your options:

  1. Remote scanning

To specify remote machines for hunting, select option 1 or use the --remote option. Example: kube-hunter --remote some.node.com

  1. Interface scanning

To specify interface scanning, you can use the --interface option (this will scan all of the machine's network interfaces). Example: kube-hunter --interface

  1. Network scanning

To specify a specific CIDR to scan, use the --cidr option. Example: kube-hunter --cidr 192.168.0.0/24

  1. Kubernetes node auto-discovery

Set --k8s-auto-discover-nodes flag to query Kubernetes for all nodes in the cluster, and then attempt to scan them all. By default, it will use in-cluster config to connect to the Kubernetes API. If you'd like to use an explicit kubeconfig file, set --kubeconfig /location/of/kubeconfig/file.

Also note, that this is always done when using --pod mode.

Authentication

In order to mimic an attacker in it's early stages, kube-hunter requires no authentication for the hunt.

  • Impersonate - You can provide kube-hunter with a specific service account token to use when hunting by manually passing the JWT Bearer token of the service-account secret with the --service-account-token flag.

    Example:

    $ kube-hunter --active --service-account-token eyJhbGciOiJSUzI1Ni...
  • When runing with --pod flag, kube-hunter uses the service account token mounted inside the pod to authenticate to services it finds during the hunt.

    • if specified, --service-account-token flag takes priority when running as a pod

Active Hunting

Active hunting is an option in which kube-hunter will exploit vulnerabilities it finds, to explore for further vulnerabilities. The main difference between normal and active hunting is that a normal hunt will never change the state of the cluster, while active hunting can potentially do state-changing operations on the cluster, which could be harmful.

By default, kube-hunter does not do active hunting. To active hunt a cluster, use the --active flag. Example: kube-hunter --remote some.domain.com --active

List of tests

You can see the list of tests with the --list option: Example: kube-hunter --list

To see active hunting tests as well as passive: kube-hunter --list --active

Nodes Mapping

To see only a mapping of your nodes network, run with --mapping option. Example: kube-hunter --cidr 192.168.0.0/24 --mapping This will output all the Kubernetes nodes kube-hunter has found.

Output

To control logging, you can specify a log level, using the --log option. Example: kube-hunter --active --log WARNING Available log levels are:

  • DEBUG
  • INFO (default)
  • WARNING

Dispatching

By default, the report will be dispatched to stdout, but you can specify different methods by using the --dispatch option. Example: kube-hunter --report json --dispatch http Available dispatch methods are:

  • stdout (default)
  • http (to configure, set the following environment variables:)
    • KUBEHUNTER_HTTP_DISPATCH_URL (defaults to: https://localhost)
    • KUBEHUNTER_HTTP_DISPATCH_METHOD (defaults to: POST)

Advanced Usage

Azure Quick Scanning

When running as a Pod in an Azure or AWS environment, kube-hunter will fetch subnets from the Instance Metadata Service. Naturally this makes the discovery process take longer. To hardlimit subnet scanning to a /24 CIDR, use the --quick option.

Custom Hunting

Custom hunting enables advanced users to have control over what hunters gets registered at the start of a hunt. If you know what you are doing, this can help if you want to adjust kube-hunter's hunting and discovery process for your needs.

Example:

kube-hunter --custom <HunterName1> <HunterName2>

Enabling Custom hunting removes all hunters from the hunting process, except the given whitelisted hunters.

The --custom flag reads a list of hunters class names, in order to view all of kube-hunter's class names, you can combine the flag --raw-hunter-names with the --list flag.

Example:

kube-hunter --active --list --raw-hunter-names

Notice: Due to kube-huner's architectural design, the following "Core Hunters/Classes" will always register (even when using custom hunting):

  • HostDiscovery
    • Generates ip addresses for the hunt by given configurations
    • Automatically discovers subnets using cloud Metadata APIs
  • FromPodHostDiscovery
    • Auto discover attack surface ip addresses for the hunt by using Pod based environment techniques
    • Automatically discovers subnets using cloud Metadata APIs
  • PortDiscovery
    • Port scanning given ip addresses for known kubernetes services ports
  • Collector
    • Collects discovered vulnerabilities and open services for future report
  • StartedInfo
    • Prints the start message
  • SendFullReport
    • Dispatching the report based on given configurations

Deployment

There are three methods for deploying kube-hunter:

On Machine

You can run kube-hunter directly on your machine.

Prerequisites

You will need the following installed:

  • python 3.x
  • pip
Install with pip

Install:

pip install kube-hunter

Run:

kube-hunter
Run from source

Clone the repository:

git clone https://github.com/aquasecurity/kube-hunter.git

Install module dependencies. (You may prefer to do this within a Virtual Environment)

cd ./kube-hunter
pip install -r requirements.txt

Run:

python3 kube_hunter

If you want to use pyinstaller/py2exe you need to first run the install_imports.py script.

Container

Aqua Security maintains a containerized version of kube-hunter at aquasec/kube-hunter:aqua. This container includes this source code, plus an additional (closed source) reporting plugin for uploading results into a report that can be viewed at kube-hunter.aquasec.com. Please note, that running the aquasec/kube-hunter container and uploading reports data are subject to additional terms and conditions.

The Dockerfile in this repository allows you to build a containerized version without the reporting plugin.

If you run kube-hunter container with the host network, it will be able to probe all the interfaces on the host:

docker run -it --rm --network host aquasec/kube-hunter

Note for Docker for Mac/Windows: Be aware that the "host" for Docker for Mac or Windows is the VM that Docker runs containers within. Therefore specifying --network host allows kube-hunter access to the network interfaces of that VM, rather than those of your machine. By default, kube-hunter runs in interactive mode. You can also specify the scanning option with the parameters described above e.g.

docker run --rm aquasec/kube-hunter --cidr 192.168.0.0/24

Pod

This option lets you discover what running a malicious container can do/discover on your cluster. This gives a perspective on what an attacker could do if they were able to compromise a pod, perhaps through a software vulnerability. This may reveal significantly more vulnerabilities.

The example job.yaml file defines a Job that will run kube-hunter in a pod, using default Kubernetes pod access settings. (You may wish to modify this definition, for example to run as a non-root user, or to run in a different namespace.)

  • Run the job with kubectl create -f ./job.yaml
  • Find the pod name with kubectl describe job kube-hunter
  • View the test results with kubectl logs <pod name>

Contribution

To read the contribution guidelines, Click here

License

This repository is available under the Apache License 2.0.

More Repositories

1

trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Go
22,757
star
2

tfsec

Tfsec is now part of Trivy
Go
6,659
star
3

kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Go
5,935
star
4

tracee

Linux Runtime Security and Forensics using eBPF
Go
3,601
star
5

cloudsploit

Cloud Security Posture Management (CSPM)
JavaScript
3,304
star
6

starboard

Moved to https://github.com/aquasecurity/trivy-operator
Go
1,346
star
7

trivy-operator

Kubernetes-native security toolkit
Go
1,249
star
8

microscanner

Scan your container images for package vulnerabilities with Aqua Security
Dockerfile
856
star
9

kubectl-who-can

Show who has RBAC permissions to perform actions on different resources in Kubernetes
Go
810
star
10

trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Shell
807
star
11

libbpfgo

eBPF library for Go. Powered by libbpf.
Go
731
star
12

chain-bench

An open-source tool for auditing your software supply chain stack for security compliance based on a new CIS Software Supply Chain benchmark.
Go
725
star
13

cloud-security-remediation-guides

Security Remediation Guides
698
star
14

vuln-list

NVD, Ubuntu, Alpine
408
star
15

btfhub

BTFhub, in collaboration with the BTFhub Archive repository, supplies BTF files for all published kernels that lack native support for embedded BTF. This joint effort ensures that even kernels without built-in BTF support can effectively leverage the benefits of eBPF programs, promoting compatibility across various kernel versions.
Go
386
star
16

esquery

An idiomatic Go query builder for ElasticSearch
Go
305
star
17

traceeshark

Deep Linux runtime visibility meets Wireshark
C
244
star
18

trivy-db

Go
224
star
19

kube-query

[EXPERIMENTAL] Extend osquery to report on Kubernetes
Go
223
star
20

harbor-scanner-trivy

Use Trivy as a plug-in vulnerability scanner in the Harbor registry
Go
218
star
21

defsec

Trivy's misconfiguration scanning engine
Go
213
star
22

postee

Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.
Go
201
star
23

fanal

Static Analysis Library for Containers
Go
200
star
24

cloudsec-icons

A collection of cloud security icons ☁️🔒
Go
186
star
25

docker-bench

Checks whether Docker is deployed according to security best practices as defined in the CIS Docker Benchmark
Go
179
star
26

vuln-list-update

Go
173
star
27

manifesto

Use Manifesto to store and query metadata for container images.
Go
164
star
28

tfsec-pr-commenter-action

Add comments to pull requests where tfsec checks have failed
Go
164
star
29

linux-bench

Checks whether a Linux server according to security best practices as defined in the CIS Distribution-Independent Linux Benchmark
Go
152
star
30

go-dep-parser

Dependency Parser for Multiple Programming Languages
Go
144
star
31

lmdrouter

Go HTTP router library for AWS API Gateway-invoked Lambda Functions
Go
135
star
32

appshield

Security configuration checks for popular cloud native applications and infrastructure.
Open Policy Agent
118
star
33

starboard-lens-extension

Lens extension for viewing Starboard security information
TypeScript
117
star
34

trivy-vscode-extension

A VS Code Extension for Trivy
TypeScript
116
star
35

btfhub-archive

The BTFhub Archive repository provides BTF files for those published kernels that lack native support for embedded BTF, thereby enhancing the versatility of eBPF programs across different kernel versions.
94
star
36

aqua-helm

Helm Charts For Installing Aqua Security Components
Mustache
86
star
37

table

🧮 Tables for terminals, in Go.
Go
81
star
38

tracee-action

Protect GitHub Actions with Tracee
Open Policy Agent
78
star
39

cfsec

Static analysis for CloudFormation templates to identify common misconfiguration
Go
58
star
40

starboard-octant-plugin

Octant plugin for viewing Starboard security information
Go
57
star
41

deployments

All Aqua deployments options and aquactl configuration
Shell
56
star
42

tfsec-sarif-action

Shell
52
star
43

tfsec-action

Vanilla GitHub action to run tfsec
Shell
52
star
44

trivy-azure-pipelines-task

An Azure Pipelines Task for trivy
TypeScript
46
star
45

community

Aqua Security's open source community
40
star
46

trivy-operator-lens-extension

https://github.com/aquasecurity/trivy-operator
TypeScript
37
star
47

terraform-provider-aquasec

Go
35
star
48

go-version

A Go library for parsing and verifying versions and version constraints.
Go
35
star
49

harbor-scanner-aqua

Aqua Enterprise scanner as a plug-in vulnerability scanner in the Harbor registry
Go
35
star
50

aqua-operator

The aqua-operator is a group of controllers that runs within a Kubernetes or Openshift cluster that provides a means to deploy and manage Aqua Security cluster and Components.
Go
34
star
51

trivy-checks

Go
34
star
52

trivy-java-db

Go
30
star
53

vscode-tfsec

vscode extension for tfsec
TypeScript
30
star
54

trivy-kubernetes

Trivy kubernetes library
Go
29
star
55

trivy-plugin-kubectl

A Trivy plugin that scans the images of a kubernetes resource
Shell
25
star
56

trivy-docker-extension

Docker Desktop Extension for Trivy
TypeScript
20
star
57

trivy-plugin-referrer

Trivy plugin for OCI referrers
Go
20
star
58

trivy-enforcer

[EXPERIMENTAL] Kubernetes Operator for Image Assurance
Go
20
star
59

chain-bench-action

Shell
19
star
60

aqua-aws

The repository not supported any more. Please use this one https://github.com/aquasecurity/deployments
HCL
18
star
61

trivy-pipe

Bitbucket Pipe for running Trivy in a Pipeline
Shell
17
star
62

starboard-operator

The Starboard Operator has moved to the main Starboard repo, and this one is being retired
Go
16
star
63

windows-bench

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark
Go
16
star
64

saas-terraform-connection

Terraform modules for CloudSploit Scanner
HCL
14
star
65

trivy-ci-test

Dockerfile
14
star
66

vexhub

13
star
67

saas-api-samples

Sample code snippets for consuming the CloudSploit API
JavaScript
13
star
68

helm-charts

Aqua Open Source Helm Chart Repository
13
star
69

circleci-orb-microscanner

Enables scanning of docker builds in CircleCi for OS package vulnerabilities.
Dockerfile
13
star
70

vim-trivy

Vim Plugin for Trivy
Vim Script
13
star
71

vim-tfsec

List your tfsec issues in the QuickFix window with this plugin.
Vim Script
12
star
72

trivy-aws

Go
11
star
73

trivy-plugin-aqua

Makefile
11
star
74

go-git-pr-commenter

library for adding comments to git PRs
Go
11
star
75

binfinder

Find binary files not installed through package manager
Go
11
star
76

trivy-sarif-demo

JavaScript
9
star
77

cloud-metadata

Common metadata repository for CSPM and TFSec checks
Go
9
star
78

tracee-test-kernels

Kernels for testing tracee CO-RE feature
C
9
star
79

bench-common

Common code for hardening benchmarks
Go
9
star
80

trivy-repo

deb/rpm repository for Trivy
9
star
81

aws-security-hub-plugin

Aqua Security AWS Security Hub plugin
9
star
82

tracee-tester

This is a spin-off from Tracee project responsible for generating the docker image that tests open-source signatures.
Shell
9
star
83

gobard

Unofficial Golang API for Bard Chat.
Go
8
star
84

aqua-dash

Sample Aqua CSP dashboard
Vue
8
star
85

trivy-iac

Go
7
star
86

scan-cve-2018-8115

Python
7
star
87

amazon-eks-devsecops

PHP
7
star
88

pipeline-enforcer-action

TypeScript
7
star
89

intellij-trivy

Trivy Plugin for the JetBrains family of IDEs
Java
7
star
90

go-pep440-version

A golang library for parsing PEP 440 compliant Python versions
Go
7
star
91

tfsec-azure-pipelines-task

An Azure DevOps Task for tfsec
TypeScript
7
star
92

build-security-action

GitHub Action for Aqua Build Security
Shell
7
star
93

go-npm-version

A golang library for parsing npm versions
Go
6
star
94

saas-integrations

CloudSploit third-party integrations
JavaScript
6
star
95

trivy-plugin-attest

Publish SBOM attestation
Go
6
star
96

k8s-node-collector

Go
6
star
97

secfixes-tracker

Forked from https://gitlab.alpinelinux.org/kaniini/secfixes-tracker
Python
6
star
98

trivy-module-wordpress

Trivy example module for WordPress
Go
5
star
99

reportgen

PDF reports for Aqua CSP image and host vulnerabilities
Go
5
star
100

vuln-list-nvd

NVD
5
star