Skip to main content

Kube Hunter

License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is kube-hunter?#

kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!

To learn more about the kube-hunter scanner itself visit kube-hunter GitHub or kube-hunter Website.


The kube-hunter chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install kube-hunter secureCodeBox/kube-hunter

Scanner Configuration#

The following security scan configuration example are based on the kube-hunter Documentation, please take a look at the original documentation for more configuration examples.

  • To specify remote machines for hunting, select option 1 or use the --remote option. Example: kube-hunter --remote
  • To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: kube-hunter --interface
  • To specify a specific CIDR to scan, use the --cidr option. Example: kube-hunter --cidr


Kubernetes: >=v1.11.0-0


cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.envlist[]Optional environment variables mapped into each parseJob (see:
parser.image.repositorystring""Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller:
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see:
scanner.envlist[]Optional environment variables mapped into each scanJob (see:
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see:
scanner.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see:
scanner.extraVolumeslist[]Optional Volumes mapped into each scanJob (see:
scanner.image.repositorystring""Container Image to run the scan
scanner.image.tagstringnildefaults to the charts version
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see:,
scanner.securityContextobject{}Optional securityContext set on scanner container (see:
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller:



Code of secureCodeBox is licensed under the Apache License 2.0.



# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0
apiVersion: ""kind: Scanmetadata:  name: "kube-hunter-in-cluster"spec:  scanType: "kube-hunter"  parameters:    - "--pod"