EN
ENNA

kube-hunter

Apache-2.0

๐Ÿ“ฆ Container Security ยท Python

kube-hunter is an open-source tool from Aqua Security that hunts for security weaknesses in Kubernetes clusters. It can run from outside the cluster (remote scanning), from a machine inside the network, or as a pod within the cluster itself to simulate different attacker perspectives. kube-hunter checks for a wide range of vulnerabilities including exposed API servers, kubelet API access, etcd access, privilege escalation paths, container escape vectors, and misconfigurations in RBAC, network policies, and pod security. Each finding includes a severity rating, description, and remediation guidance. The tool generates reports in JSON, YAML, or human-readable formats, making it easy to integrate into CI/CD pipelines or compliance workflows. kube-hunter is particularly valuable for security teams validating the hardening of their Kubernetes deployments.

5.0kstars
605forks
82issues
Updated 2y ago
View on GitHubDocumentation

Installation

pip

$ pip install kube-hunter

Docker

$ docker run -it --rm --network host aquasec/kube-hunter

as Pod

$ kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml

Use Cases

  • Scanning Kubernetes clusters for exposed API servers and kubelet endpoints
  • Identifying RBAC misconfigurations and privilege escalation paths in clusters
  • Running as a pod to simulate insider attacker perspective within Kubernetes
  • Integrating cluster security scanning into CI/CD deployment pipelines
  • Validating Kubernetes hardening against CIS Kubernetes Benchmark

Tags

kubernetespentestcluster-securityrbacaqua-securitymisconfigurationhacktoberfestkubernetes-clustersvulnerabilities

Details

Category
๐Ÿ“ฆ Container Security
Language
Python
License
Apache-2.0
Platforms
๐Ÿงlinux๐ŸŽmacos๐ŸชŸwindows

Links

GitHub Repository

github.com/aquasecurity/kube-hunter

Documentation

aquasecurity.github.io/kube-hunter

Releases

github.com/aquasecurity/kube-hunter/releases

Issues

github.com/aquasecurity/kube-hunter/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Falco

C++

Cloud-native runtime security. Detects threats in containers, Kubernetes, and Linux hosts using system call monitoring and custom rules.

Compare kube-hunter vs Falco

CDK

Go

Container escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.

Compare kube-hunter vs CDK

Deepce

Shell

Docker enumeration and privilege escalation. Discover Docker containers, check for misconfigurations, and find escape paths.

Compare kube-hunter vs Deepce

Dockle

Go

Container image linter. Checks Docker images for security best practices, CIS benchmarks, and Dockerfile misconfigurations.

Compare kube-hunter vs Dockle

Syft

Go

Software Bill of Materials generator. Creates SBOMs from container images and filesystems in SPDX and CycloneDX formats.

Compare kube-hunter vs Syft

More in Container Security

Falco

C++

Cloud-native runtime security. Detects threats in containers, Kubernetes, and Linux hosts using system call monitoring and custom rules.

runtime-securityebpfkubernetes

CDK

Go

Container escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.

container-escapedockerkubernetes

Deepce

Shell

Docker enumeration and privilege escalation. Discover Docker containers, check for misconfigurations, and find escape paths.

dockerenumerationprivilege-escalation

Dockle

Go

Container image linter. Checks Docker images for security best practices, CIS benchmarks, and Dockerfile misconfigurations.

dockerlintercis-benchmark

Syft

Go

Software Bill of Materials generator. Creates SBOMs from container images and filesystems in SPDX and CycloneDX formats.

sbomsupply-chainspdx