scanning_k8s

Scanning Kubernetes with kube-hunter

kube-hunter is a tool by Aqua Security that hunts for security weaknesses in Kubernetes clusters. It can be run as a Job within the cluster or remotely against a cluster.

Project Repository: https://github.com/aquasecurity/kube-hunter

1. Overview

kube-hunter performs a series of tests based on known vulnerabilities and misconfigurations.

Passive mode: Runs tests that do not interfere with cluster operations (e.g., checking for exposed dashboards, open ports).
Active mode: Extends passive tests by attempting to use discovered vulnerabilities to simulate attacks. This mode is more intrusive and should be used with caution, especially on production systems.

2. Running `kube-hunter` as a Job in-Cluster

This method runs kube-hunter from within a pod in your cluster, allowing it to discover and test internal services.

2.1 Cloning `kube-hunter` for Job Manifests

The kube-hunter GitHub repository contains example YAML files for running it as a Job.

Clone the repository:

git clone https://github.com/aquasecurity/kube-hunter.git

Navigate to the cloned directory:

cd kube-hunter
# The job.yaml file is typically in this directory or a subdirectory like 'job'.

2.2 Passive Scan Mode

Deploy the kube-hunter Job (Passive Mode): The default job.yaml usually runs kube-hunter in passive mode (often with the --pod argument to scan from within a pod).

# Ensure job.yaml is present. Its exact path might be in the root of the
# cloned 'kube-hunter' repository or a subdirectory like 'job/'. Adjust path if needed.
kubectl apply -f ./job.yaml

Check Job Status and Pod Logs:

kubectl describe job kube-hunter
# Find the pod name created by the job
kubectl get pods -l job-name=kube-hunter
# Example: KH_PASSIVE_POD=kube-hunter-h2vdp (replace with your actual pod name)
KH_PASSIVE_POD=$(kubectl get pods -l job-name=kube-hunter -o jsonpath='{.items[0].metadata.name}')
echo "Passive scan pod name: $KH_PASSIVE_POD"

# Wait for the pod to complete, then get logs
echo "Waiting for pod to complete... (check status with 'kubectl get pods -l job-name=kube-hunter')"
# kubectl wait --for=condition=complete job/kube-hunter --timeout=300s # Optional: wait command

kubectl logs "$KH_PASSIVE_POD" > myresultspassive.txt

View Passive Scan Results:
```
cat myresultspassive.txt
```

2.3 Active Scan Mode

Active scanning attempts to exploit discovered vulnerabilities. Use with caution.

Delete the Previous Job (if any):

kubectl delete job kube-hunter --ignore-not-found=true
# Or delete by file if you applied it that way:
# kubectl delete -f ./job.yaml --ignore-not-found=true

(Added --ignore-not-found=true)

Modify job.yaml for Active Scanning: Edit the job.yaml file. You need to add the --active flag to the args section of the container spec.
For example, change:
```
#      args:
#        - "--pod"
```
to:
```
#      args:
#        - "--pod"
#        - "--active"
```
(The exact structure of args in your job.yaml might vary. Ensure you add --active correctly to the list of arguments passed to the kube-hunter command within the YAML.)
Note: The --active argument extends the tests to use findings to attempt further actions. This is more effective when run from within the cluster but carries more risk.
Deploy the Active Scan Job:
```
kubectl apply -f ./job.yaml
```

Check Job Status and Pod Logs (Active Scan):

kubectl describe job kube-hunter
# Find the new pod name
kubectl get pods -l job-name=kube-hunter
KH_ACTIVE_POD=$(kubectl get pods -l job-name=kube-hunter -o jsonpath='{.items[0].metadata.name}')
echo "Active scan pod name: $KH_ACTIVE_POD"

# Wait for completion, then get logs
echo "Waiting for pod to complete... (check status with 'kubectl get pods -l job-name=kube-hunter')"
# kubectl wait --for=condition=complete job/kube-hunter --timeout=300s # Optional

kubectl logs "$KH_ACTIVE_POD" > myresultsactive.txt

View Active Scan Results and Compare:
```
cat myresultsactive.txt
```
Review the differences between myresultspassive.txt and myresultsactive.txt. The active scan may report more findings or details.

3. Running `kube-hunter` Remotely

You can also run kube-hunter from a machine outside the cluster, targeting the cluster's exposed endpoints.

Install kube-hunter locally: On your scanning machine (e.g., the studentx-4.training.dockerhack.me placeholder from the original document, or your own machine), ensure you are in the cloned kube-hunter directory.
```
# cd path/to/kube-hunter # If not already there
pip3 install -r requirements.txt --user
```
Run Remote Scans:
- Scan a specific remote host (e.g., a Kubernetes API server or node): Replace target-node.example.com with the actual IP or hostname.
  ./kube-hunter.py --remote target-node.example.com --active
- Scan a CIDR range:
  ./kube-hunter.py --cidr 10.110.0.0/24 # Replace with your target CIDR
(Generalized placeholders.)

Home

Previousquick_apps Nextsecurity_options

Last updated 6 months ago