# kube-hunter — Kubernetes Security Testing from an Attacker Perspective > kube-hunter is an open-source tool by Aqua Security that hunts for security weaknesses in Kubernetes clusters by simulating an attacker's discovery and exploitation process. ## Install Save as a script file and run: # kube-hunter — Kubernetes Security Testing from an Attacker Perspective ## Quick Use ```bash # Install kube-hunter pip install kube-hunter # Run a remote scan against your cluster kube-hunter --remote # Run from inside a pod (in-cluster scan) kube-hunter --pod # Run with active hunting (attempts exploitation) kube-hunter --active --remote # Generate a JSON report kube-hunter --remote --report json ``` ## Introduction kube-hunter is a penetration testing tool for Kubernetes developed by Aqua Security. It scans Kubernetes clusters for security issues by simulating what an attacker would do: discovering exposed services, checking for misconfigurations, and optionally attempting to exploit found vulnerabilities. It helps security teams identify weaknesses before real attackers do. ## What kube-hunter Does - Discovers exposed Kubernetes API servers, Kubelets, and etcd instances on the network - Tests for common misconfigurations like anonymous authentication and insecure ports - Performs active exploitation tests to verify vulnerability severity when enabled - Supports scanning from outside the cluster (remote), inside a pod, or on the node network - Generates structured reports in plain text, JSON, or YAML for integration with security tooling ## Architecture Overview kube-hunter is written in Python and uses a modular hunter architecture. Scanning begins with a discovery phase that probes network ranges for Kubernetes-related services. Each discovered service triggers relevant hunter modules that test for specific vulnerabilities. In active mode, additional hunters attempt exploitation steps like reading secrets or escalating privileges. The framework uses an event-driven design where each finding can trigger follow-up hunters, mimicking an attacker's lateral movement. Results are aggregated into a final report with severity classifications. ## Self-Hosting & Configuration - Install via pip (`pip install kube-hunter`) or run the official Docker image - Use `--cidr` to specify custom network ranges for remote scanning - Enable `--active` mode only in authorized test environments as it performs real exploitation - Deploy as a Kubernetes CronJob for periodic security assessments - Configure output format with `--report` flag (json, yaml, or plain) ## Key Features - Three scan modes: remote (external attacker), pod (compromised container), and node (compromised node) - Active hunting mode that validates vulnerabilities through safe exploitation attempts - Modular hunter framework making it easy to add custom security checks - CronJob deployment pattern for continuous Kubernetes security monitoring - Maps findings to CIS Kubernetes Benchmark and common CVEs ## Comparison with Similar Tools - **kube-bench** — checks node configurations against CIS benchmarks; kube-hunter tests from an attacker perspective - **Kubescape** — broader Kubernetes security platform with policy enforcement and image scanning - **Trivy** — focuses on container image and IaC vulnerability scanning rather than live cluster testing - **Falco** — runtime threat detection system, not a proactive scanning tool - **Nuclei** — general-purpose vulnerability scanner that can target Kubernetes but lacks K8s-specific hunters ## FAQ **Q: Is it safe to run kube-hunter against production clusters?** A: In passive mode (default), kube-hunter only probes and reads — it does not modify anything. Active mode attempts exploitation and should only be used in test environments or with explicit authorization. **Q: What is the difference between remote and pod scanning modes?** A: Remote mode simulates an external attacker scanning from outside the cluster. Pod mode runs inside a container and tests what a compromised pod could discover and access on the internal network. **Q: Does kube-hunter find CVEs in container images?** A: No. kube-hunter focuses on cluster-level misconfigurations and exposed services. Use Trivy or Grype for container image vulnerability scanning. **Q: Can I extend kube-hunter with custom checks?** A: Yes. The hunter framework is modular — you can write custom hunter classes that subscribe to discovery events and implement specific security tests. ## Sources - https://github.com/aquasecurity/kube-hunter - https://aquasecurity.github.io/kube-hunter/ --- Source: https://tokrepo.com/en/workflows/5239346c-3cf7-11f1-9bc6-00163e2b0d79 Author: Script Depot