Aqua Security is probing for Kubernetes cluster security issues with the release of kube-hunter. The newly announced solution is an open-source tool designed to increase security awareness and provide visibility into security within Kubernetes environments.
According to the company, the solution performs automated penetration testing and is intended to test only your own deployments, not clusters you don’t own, so teams and users can discover weaknesses.
“From outside the cluster, kube-hunter probes a domain or address range for open Kubernetes-related ports, and tests for any configuration issues that leave your cluster exposed to attackers. You’ll get a full report that highlights these security concerns,” according to the solution’s website.
Aqua Security is also providing a containerized app that will work in conjunction with the kube-hunter website.
The detail test will run passive hunters, but there is an open to turn on active hunting. Passive tests include certificate email hunting, proxy hunting, dashboard hunting and API server discovery. Active tests include kubelet container logs hunter, K8s version hunter, kubelet run hunter, and build date hunter.
“I don’t think we can say it too often: you must not use this on other people’s clusters! It would certainly be possible to use this code to attack other sites, but this is not our intention,” Liz Rice, software engineer for Aqua Security, wrote in a post. “We thought carefully before releasing kube-hunter about the potential use of this by the bad guys; but truth be told they probably already do similar kinds of tests through generic tools (e.g. port scanning). We want to arm Kubernetes administrators, operators and engineers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers.”