kube-hunter — Kubernetes Security Testing from an Attacker Perspective

Introduction

kube-hunter is a penetration testing tool for Kubernetes developed by Aqua Security. It scans Kubernetes clusters for security issues by simulating what an attacker would do: discovering exposed services, checking for misconfigurations, and optionally attempting to exploit found vulnerabilities. It helps security teams identify weaknesses before real attackers do.

What kube-hunter Does

• Discovers exposed Kubernetes API servers, Kubelets, and etcd instances on the network
• Tests for common misconfigurations like anonymous authentication and insecure ports
• Performs active exploitation tests to verify vulnerability severity when enabled
• Supports scanning from outside the cluster (remote), inside a pod, or on the node network
• Generates structured reports in plain text, JSON, or YAML for integration with security tooling

Architecture Overview

kube-hunter is written in Python and uses a modular hunter architecture. Scanning begins with a discovery phase that probes network ranges for Kubernetes-related services. Each discovered service triggers relevant hunter modules that test for specific vulnerabilities. In active mode, additional hunters attempt exploitation steps like reading secrets or escalating privileges. The framework uses an event-driven design where each finding can trigger follow-up hunters, mimicking an attacker's lateral movement. Results are aggregated into a final report with severity classifications.

Self-Hosting & Configuration

• Install via pip (pip install kube-hunter) or run the official Docker image
• Use --cidr to specify custom network ranges for remote scanning
• Enable --active mode only in authorized test environments as it performs real exploitation
• Deploy as a Kubernetes CronJob for periodic security assessments
• Configure output format with --report flag (json, yaml, or plain)

Key Features

• Three scan modes: remote (external attacker), pod (compromised container), and node (compromised node)
• Active hunting mode that validates vulnerabilities through safe exploitation attempts
• Modular hunter framework making it easy to add custom security checks
• CronJob deployment pattern for continuous Kubernetes security monitoring
• Maps findings to CIS Kubernetes Benchmark and common CVEs

Comparison with Similar Tools

• kube-bench — checks node configurations against CIS benchmarks; kube-hunter tests from an attacker perspective
• Kubescape — broader Kubernetes security platform with policy enforcement and image scanning
• Trivy — focuses on container image and IaC vulnerability scanning rather than live cluster testing
• Falco — runtime threat detection system, not a proactive scanning tool
• Nuclei — general-purpose vulnerability scanner that can target Kubernetes but lacks K8s-specific hunters

FAQ

Q: Is it safe to run kube-hunter against production clusters? A: In passive mode (default), kube-hunter only probes and reads — it does not modify anything. Active mode attempts exploitation and should only be used in test environments or with explicit authorization.

Q: What is the difference between remote and pod scanning modes? A: Remote mode simulates an external attacker scanning from outside the cluster. Pod mode runs inside a container and tests what a compromised pod could discover and access on the internal network.

Q: Does kube-hunter find CVEs in container images? A: No. kube-hunter focuses on cluster-level misconfigurations and exposed services. Use Trivy or Grype for container image vulnerability scanning.

Q: Can I extend kube-hunter with custom checks? A: Yes. The hunter framework is modular — you can write custom hunter classes that subscribe to discovery events and implement specific security tests.

Sources

• https://github.com/aquasecurity/kube-hunter
• https://aquasecurity.github.io/kube-hunter/