Skip to main content


title: kube-hunter category: scanner type: Kubernetes state: released appVersion: 0.3.1 usecase: Kubernetes Vulnerability Scanner custom_edit_url: >-

kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!

To learn more about the kube-hunter scanner itself visit kube-hunter GitHub or kube-hunter Website.


The kube-hunter ScanType can be deployed via helm:

helm upgrade --install kube-hunter secureCodeBox/kube-hunter

Scanner Configuration

The following security scan configuration example are based on the kube-hunter Documentation, please take a look at the original documentation for more configuration examples.

  • To specify remote machines for hunting, select option 1 or use the --remote option. Example: kube-hunter --remote
  • To specify interface scanning, you can use the --interface option (this will scan all the machine's network interfaces). Example: kube-hunter --interface
  • To specify a specific CIDR to scan, use the --cidr option. Example: kube-hunter --cidr

Chart Configuration

cascadingRules.enabledbooltrueEnables or disables the installation of the default cascading rules for this scanner
parser.image.repositorystring""Parser image repository
parser.image.tagstringdefaults to the charts versionParser image tag
parser.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller:
scanner.backoffLimitint3There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see:
scanner.envlist[]Optional environment variables mapped into each scanJob (see:
scanner.extraContainerslist[]Optional additional Containers started with each scanJob (see:
scanner.extraVolumeMountslist[]Optional VolumeMounts mapped into each scanJob (see:
scanner.extraVolumeslist[]Optional Volumes mapped into each scanJob (see:
scanner.image.repositorystring""Container Image to run the scan
scanner.image.tagstringnildefaults to the charts version
scanner.nameAppendstringnilappend a string to the default scantype name.
scanner.resourcesobject{}CPU/memory resource requests/limits (see:,
scanner.securityContextobject{}Optional securityContext set on scanner container (see:
scanner.ttlSecondsAfterFinishedstringnilseconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller:



# SPDX-FileCopyrightText: 2020 iteratec GmbH
# SPDX-License-Identifier: Apache-2.0

apiVersion: ""
kind: Scan
  name: "kube-hunter-in-cluster"
  scanType: "kube-hunter"
    - "--pod"