DEV Community

Aprakash
Aprakash

Posted on

kube-hunter : Kubernetes Security

Kube-hunter - An open source tool that hunts for security issues in your Kubernetes clusters..

Kube-hunter hunts for security weaknesses in Kubernetes clusters. This tool was developed to increase awareness and visibility for security issues in Kubernetes environments.

Kube-hunter Github
https://github.com/aquasecurity/kube-hunter

Ways to Run kube-hunter
Three Ways for deploying kube-hunter. On Pod, On Machine, Container.

Pod
We also run kube-hunter in pod mode in the cluster.

  • Go to the kube-hunter github repo and deploy the job.yaml
  • Find the pod name
  • View the test results with kubectl logs
kubectl create -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml
kubectl describe job kube-hunter
kubectl logs <pod name>
Enter fullscreen mode Exit fullscreen mode
root@Aprakash:~# kubectl logs kube-hunter-59x7z
2022-01-20 06:54:05,667 INFO kube_hunter.modules.report.collector Started hunting
2022-01-20 06:54:05,672 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-59x7z)
2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector
  Nodes
+-------------+------------+
| TYPE        | LOCATION   |
+-------------+------------+
| Node/Master | 10.244.1.1 |
+-------------+------------+
| Node/Master | 10.240.0.5 |
+-------------+------------+
| Node/Master | 10.240.0.4 |
+-------------+------------+
| Node/Master | 10.0.0.1   |
+-------------+------------+

Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID     | LOCATION             | MITRE CATEGORY       | VULNERABILITY        | DESCRIPTION          | EVIDENCE             |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None   | Local to Pod (kube-  | Lateral Movement //  | CAP_NET_RAW Enabled  | CAP_NET_RAW is       |                      |
|        | hunter-59x7z)        | ARP poisoning and IP |                      | enabled by default   |                      |
|        |                      | spoofing             |                      | for pods.            |                      |
|        |                      |                      |                      |     If an attacker   |                      |
|        |                      |                      |                      | manages to           |                      |
|        |                      |                      |                      | compromise a pod,    |                      |
|        |                      |                      |                      |     they could       |                      |
|        |                      |                      |                      | potentially take     |                      |
|        |                      |                      |                      | advantage of this    |                      |
|        |                      |                      |                      | capability to        |                      |
|        |                      |                      |                      | perform network      |                      |
|        |                      |                      |                      |     attacks on other |                      |
|        |                      |                      |                      | pods running on the  |                      |
|        |                      |                      |                      | same node            |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV002 | 10.0.0.1:443         | Initial Access //    | K8s Version          | The kubernetes       | v1.21.7              |
|        |                      | Exposed sensitive    | Disclosure           | version could be     |                      |
|        |                      | interfaces           |                      | obtained from the    |                      |
|        |                      |                      |                      | /version endpoint    |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV003 | Local to Pod (kube-  | Discovery //         | Azure Metadata       | Access to the Azure  | cidr: 10.240.0.0/16  |
|        | hunter-59x7z)        | Instance Metadata    | Exposure             | Metadata API exposes |                      |
|        |                      | API                  |                      | information about    |                      |
|        |                      |                      |                      | the machines         |                      |
|        |                      |                      |                      | associated with the  |                      |
|        |                      |                      |                      | cluster              |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV005 | 10.0.0.1:443         | Discovery // Access  | Access to API using  | The API Server port  | b'{"kind":"APIVersio |
|        |                      | the K8S API Server   | service account      | is accessible.       | ns","versions":["v1" |
|        |                      |                      | token                |     Depending on     | ],"serverAddressByCl |
|        |                      |                      |                      | your RBAC settings   | ientCIDRs":[{"client |
|        |                      |                      |                      | this could expose    | CIDR":"0.0.0.0/0","s |
|        |                      |                      |                      | access to or control | ...                  |
|        |                      |                      |                      | of your cluster.     |                      |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None   | Local to Pod (kube-  | Credential Access // | Access to pod's      | Accessing the pod's  | ['/var/run/secrets/k |
|        | hunter-59x7z)        | Access container     | secrets              | secrets within a     | ubernetes.io/service |
|        |                      | service account      |                      | compromised pod      | account/namespace',  |
|        |                      |                      |                      | might disclose       | '/var/run/secrets/ku |
|        |                      |                      |                      | valuable data to a   | bernetes.io/servicea |
|        |                      |                      |                      | potential attacker   | ...                  |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV050 | Local to Pod (kube-  | Credential Access // | Read access to pod's | Accessing the pod    | eyJhbGciOiJSUzI1NiIs |
|        | hunter-59x7z)        | Access container     | service account      | service account      | ImtpZCI6Im5VRURSVTBh |
|        |                      | service account      | token                | token gives an       | R01YZzdPY2sxNXF2T1Ez |
|        |                      |                      |                      | attacker the option  | cDM5dmtlTkZsY29GdDg4 |
|        |                      |                      |                      | to use the server    | MG12M2cifQ.eyJhdWQiO |
|        |                      |                      |                      | API                  | ...                  |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
root@Aprakash:~/security#
root@Aprakash:~/security#
Enter fullscreen mode Exit fullscreen mode

On Machine

pip install kube-hunter
kube-hunter
Enter fullscreen mode Exit fullscreen mode

From source

git clone https://github.com/aquasecurity/kube-hunter.git
cd ./kube-hunter
pip install -r requirements.txt
python3 kube_hunter
Enter fullscreen mode Exit fullscreen mode

Container

docker run -it --rm --network host aquasec/kube-hunter
Enter fullscreen mode Exit fullscreen mode

Remediation

For further information about a vulnerability, search the vulnerability ID in:
https://avd.aquasec.com. Remediation steps for each vulnerability is listed in the document. All vulnerabilies KB
kube-hunter

Thanks!!

Top comments (0)