kube-hunter
kube-hunter hunts for security weaknesses in Kubernetes clusters. The tool was developed to increase awareness and visibility for security issues in Kubernetes environments. You should NOT run kube-hunter on a Kubernetes cluster that you don't own!
To learn more about the kube-hunter scanner itself visit kube-hunter GitHub or kube-hunter Website.
Deployment
The kube-hunter ScanType can be deployed via helm:
helm upgrade --install kube-hunter secureCodeBox/kube-hunter
Scanner Configuration
The following security scan configuration example are based on the kube-hunter Documentation, please take a look at the original documentation for more configuration examples.
- To specify remote machines for hunting, select option 1 or use the --remote option. Example:
kube-hunter --remote some.node.com - To specify interface scanning, you can use the --interface option (this will scan all of the machine's network interfaces). Example:
kube-hunter --interface - To specify a specific CIDR to scan, use the --cidr option. Example:
kube-hunter --cidr 192.168.0.0/24
Chart Configuration
| Key | Type | Default | Description |
|---|---|---|---|
| image.repository | string | "docker.io/securecodebox/scanner-kube-hunter" | Container Image to run the scan |
| image.tag | string | nil | defaults to the charts version |
| parseJob.ttlSecondsAfterFinished | string | nil | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| parserImage.repository | string | "docker.io/securecodebox/parser-kube-hunter" | Parser image repository |
| parserImage.tag | string | defaults to the charts version | Parser image tag |
| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) |
| scannerJob.env | list | [] | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) |
| scannerJob.extraContainers | list | [] | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) |
| scannerJob.extraVolumeMounts | list | [] | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.extraVolumes | list | [] | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) |
| scannerJob.resources | object | {} | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
| scannerJob.securityContext | object | {} | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) |
| scannerJob.ttlSecondsAfterFinished | string | nil | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
Examples
in-cluster
- Scan
- Findings
apiVersion: "execution.securecodebox.io/v1"
kind: Scan
metadata:
name: "kube-hunter-in-cluster"
spec:
scanType: "kube-hunter"
parameters:
- "--pod"