The latest articles on DEV Community by Aprakash (@anuroop08). https://dev.to/anuroop08 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F799952%2Fa6267ecb-1ac3-438b-bc81-1081119cc912.jpeg https://dev.to/anuroop08 en Aprakash Thu, 20 Jan 2022 16:55:11 +0000 https://dev.to/anuroop08/kube-hunter-k8s-security-3ihh https://dev.to/anuroop08/kube-hunter-k8s-security-3ihh <p><strong><a href="https://github.com/aquasecurity/kube-hunter" rel="noopener noreferrer"><em>Kube-hunter</em></a></strong> - <em>An open source tool that hunts for security issues in your Kubernetes clusters..</em></p> <p>Kube-hunter hunts for security weaknesses in Kubernetes clusters. This tool was developed to increase awareness and visibility for security issues in Kubernetes environments.</p> <p><strong>Kube-hunter Github</strong><br> <a href="https://github.com/aquasecurity/kube-hunter" rel="noopener noreferrer">https://github.com/aquasecurity/kube-hunter</a></p> <p><strong>Ways to Run kube-hunter</strong><br> Three Ways for deploying kube-hunter. On Pod, On Machine, Container.</p> <p><em><strong>Pod</strong></em><br> We also run kube-hunter in pod mode in the cluster.</p> <ul> <li>Go to the kube-hunter github repo and deploy the job.yaml</li> <li>Find the pod name</li> <li>View the test results with kubectl logs </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>kubectl create -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml kubectl describe job kube-hunter kubectl logs &lt;pod name&gt; </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>root@Aprakash:~# kubectl logs kube-hunter-59x7z 2022-01-20 06:54:05,667 INFO kube_hunter.modules.report.collector Started hunting 2022-01-20 06:54:05,672 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector Found vulnerability "Read access to pod's service account token" in Local to Pod (kube-hunter-59x7z) 2022-01-20 06:54:05,676 INFO kube_hunter.modules.report.collector Nodes +-------------+------------+ | TYPE | LOCATION | +-------------+------------+ | Node/Master | 10.244.1.1 | +-------------+------------+ | Node/Master | 10.240.0.5 | +-------------+------------+ | Node/Master | 10.240.0.4 | +-------------+------------+ | Node/Master | 10.0.0.1 | +-------------+------------+ Vulnerabilities For further information about a vulnerability, search its ID in: https://avd.aquasec.com/ +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | ID | LOCATION | MITRE CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Lateral Movement // | CAP_NET_RAW Enabled | CAP_NET_RAW is | | | | hunter-59x7z) | ARP poisoning and IP | | enabled by default | | | | | spoofing | | for pods. | | | | | | | If an attacker | | | | | | | manages to | | | | | | | compromise a pod, | | | | | | | they could | | | | | | | potentially take | | | | | | | advantage of this | | | | | | | capability to | | | | | | | perform network | | | | | | | attacks on other | | | | | | | pods running on the | | | | | | | same node | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV002 | 10.0.0.1:443 | Initial Access // | K8s Version | The kubernetes | v1.21.7 | | | | Exposed sensitive | Disclosure | version could be | | | | | interfaces | | obtained from the | | | | | | | /version endpoint | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV003 | Local to Pod (kube- | Discovery // | Azure Metadata | Access to the Azure | cidr: 10.240.0.0/16 | | | hunter-59x7z) | Instance Metadata | Exposure | Metadata API exposes | | | | | API | | information about | | | | | | | the machines | | | | | | | associated with the | | | | | | | cluster | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV005 | 10.0.0.1:443 | Discovery // Access | Access to API using | The API Server port | b'{"kind":"APIVersio | | | | the K8S API Server | service account | is accessible. | ns","versions":["v1" | | | | | token | Depending on | ],"serverAddressByCl | | | | | | your RBAC settings | ientCIDRs":[{"client | | | | | | this could expose | CIDR":"0.0.0.0/0","s | | | | | | access to or control | ... | | | | | | of your cluster. | | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | None | Local to Pod (kube- | Credential Access // | Access to pod's | Accessing the pod's | ['/var/run/secrets/k | | | hunter-59x7z) | Access container | secrets | secrets within a | ubernetes.io/service | | | | service account | | compromised pod | account/namespace', | | | | | | might disclose | '/var/run/secrets/ku | | | | | | valuable data to a | bernetes.io/servicea | | | | | | potential attacker | ... | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ | KHV050 | Local to Pod (kube- | Credential Access // | Read access to pod's | Accessing the pod | eyJhbGciOiJSUzI1NiIs | | | hunter-59x7z) | Access container | service account | service account | ImtpZCI6Im5VRURSVTBh | | | | service account | token | token gives an | R01YZzdPY2sxNXF2T1Ez | | | | | | attacker the option | cDM5dmtlTkZsY29GdDg4 | | | | | | to use the server | MG12M2cifQ.eyJhdWQiO | | | | | | API | ... | +--------+----------------------+----------------------+----------------------+----------------------+----------------------+ root@Aprakash:~/security# root@Aprakash:~/security# </code></pre> </div> <p><em><strong>On Machine</strong></em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>pip install kube-hunter kube-hunter </code></pre> </div> <p>From source<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/aquasecurity/kube-hunter.git cd ./kube-hunter pip install -r requirements.txt python3 kube_hunter </code></pre> </div> <p><em><strong>Container</strong></em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker run -it --rm --network host aquasec/kube-hunter </code></pre> </div> <p><strong>Remediation</strong></p> <p>For further information about a vulnerability, search the vulnerability ID in:<br> <a href="https://avd.aquasec.com" rel="noopener noreferrer">https://avd.aquasec.com</a>. Remediation steps for each vulnerability is listed in the document. <a href="https://aquasecurity.github.io/kube-hunter/kbindex.html" rel="noopener noreferrer"><em>All vulnerabilies KB</em></a><br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ivaupt1y1pr899bci0r.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5ivaupt1y1pr899bci0r.png" alt="kube-hunter"></a></p> <p>Thanks!!</p> kubernetes security kubehunter devops