Kube-hunter - An open source tool that hunts for security issues in your Kubernetes clusters..
Kube-hunter hunts for security weaknesses in Kubernetes clusters. This tool was developed to increase awareness and visibility for security issues in Kubernetes environments.
Kube-hunter Github
https://github.com/aquasecurity/kube-hunter
Ways to Run kube-hunter
Three Ways for deploying kube-hunter. On Pod, On Machine, Container.
Pod
We also run kube-hunter in pod mode in the cluster.
- Go to the kube-hunter github repo and deploy the job.yaml
- Find the pod name
- View the test results with kubectl logs
kubectl create -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml
kubectl describe job kube-hunter
kubectl logs <pod name>
root@Aprakash:~# kubectl logs kube-hunter-59x7z
2022-01-20 06:54:05,667 INFO kube_hunter.modules.report.collector Started hunting
2022-01-20 06:54:05,672 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services
2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-59x7z)
2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector
Nodes
+-------------+------------+
| TYPE | LOCATION |
+-------------+------------+
| Node/Master | 10.244.1.1 |
+-------------+------------+
| Node/Master | 10.240.0.5 |
+-------------+------------+
| Node/Master | 10.240.0.4 |
+-------------+------------+
| Node/Master | 10.0.0.1 |
+-------------+------------+
Vulnerabilities
For further information about a vulnerability, search its ID in:
https://avd.aquasec.com/
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| ID | LOCATION | MITRE CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube- | Lateral Movement // | CAP_NET_RAW Enabled | CAP_NET_RAW is | |
| | hunter-59x7z) | ARP poisoning and IP | | enabled by default | |
| | | spoofing | | for pods. | |
| | | | | If an attacker | |
| | | | | manages to | |
| | | | | compromise a pod, | |
| | | | | they could | |
| | | | | potentially take | |
| | | | | advantage of this | |
| | | | | capability to | |
| | | | | perform network | |
| | | | | attacks on other | |
| | | | | pods running on the | |
| | | | | same node | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV002 | 10.0.0.1:443 | Initial Access // | K8s Version | The kubernetes | v1.21.7 |
| | | Exposed sensitive | Disclosure | version could be | |
| | | interfaces | | obtained from the | |
| | | | | /version endpoint | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV003 | Local to Pod (kube- | Discovery // | Azure Metadata | Access to the Azure | cidr: 10.240.0.0/16 |
| | hunter-59x7z) | Instance Metadata | Exposure | Metadata API exposes | |
| | | API | | information about | |
| | | | | the machines | |
| | | | | associated with the | |
| | | | | cluster | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV005 | 10.0.0.1:443 | Discovery // Access | Access to API using | The API Server port | b'{"kind":"APIVersio |
| | | the K8S API Server | service account | is accessible. | ns","versions":["v1" |
| | | | token | Depending on | ],"serverAddressByCl |
| | | | | your RBAC settings | ientCIDRs":[{"client |
| | | | | this could expose | CIDR":"0.0.0.0/0","s |
| | | | | access to or control | ... |
| | | | | of your cluster. | |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| None | Local to Pod (kube- | Credential Access // | Access to pod's | Accessing the pod's | ['/var/run/secrets/k |
| | hunter-59x7z) | Access container | secrets | secrets within a | ubernetes.io/service |
| | | service account | | compromised pod | account/namespace', |
| | | | | might disclose | '/var/run/secrets/ku |
| | | | | valuable data to a | bernetes.io/servicea |
| | | | | potential attacker | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
| KHV050 | Local to Pod (kube- | Credential Access // | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs |
| | hunter-59x7z) | Access container | service account | service account | ImtpZCI6Im5VRURSVTBh |
| | | service account | token | token gives an | R01YZzdPY2sxNXF2T1Ez |
| | | | | attacker the option | cDM5dmtlTkZsY29GdDg4 |
| | | | | to use the server | MG12M2cifQ.eyJhdWQiO |
| | | | | API | ... |
+--------+----------------------+----------------------+----------------------+----------------------+----------------------+
root@Aprakash:~/security#
root@Aprakash:~/security#
On Machine
pip install kube-hunter
kube-hunter
From source
git clone https://github.com/aquasecurity/kube-hunter.git
cd ./kube-hunter
pip install -r requirements.txt
python3 kube_hunter
Container
docker run -it --rm --network host aquasec/kube-hunter
Remediation
For further information about a vulnerability, search the vulnerability ID in:
https://avd.aquasec.com. Remediation steps for each vulnerability is listed in the document. All vulnerabilies KB
Thanks!!
Top comments (0)