kube-hunter

kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!

To learn more about the kube-hunter scanner itself visit kube-hunter GitHub or kube-hunter Website.

Deployment

The kube-hunter ScanType can be deployed via helm:

helm upgrade --install kube-hunter secureCodeBox/kube-hunter

Scanner Configuration

The following security scan configuration example are based on the kube-hunter Documentation, please take a look at the original documentation for more configuration examples.

  • To specify remote machines for hunting, select option 1 or use the --remote option. Example: kube-hunter --remote some.node.com
  • To specify interface scanning, you can use the --interface option (this will scan all of the machine's network interfaces). Example: kube-hunter --interface
  • To specify a specific CIDR to scan, use the --cidr option. Example: kube-hunter --cidr 192.168.0.0/24

Chart Configuration

KeyTypeDefaultDescription
image.repositorystring"docker.io/securecodebox/scanner-kube-hunter"Container Image to run the scan
image.tagstringnildefaults to the charts version
parserImage.repositorystring"docker.io/securecodebox/parser-kube-hunter"Parser image repository
parserImage.tagstringdefaults to the charts versionParser image tag
scannerJob.envlist[]Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/)
scannerJob.extraContainerslist[]Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
scannerJob.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.extraVolumeslist[]Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/)
scannerJob.resourcesobject{}CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
scannerJob.securityContextobject{}Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)
scannerJob.ttlSecondsAfterFinishedstringnilDefines how long the scanner job after finishing will be available (see: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/)

Examples

in-cluster

apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "kube-hunter-in-cluster"
spec:
scanType: "kube-hunter"
parameters:
- "--pod"