Hello Folks.. I hope you all are doing so well. In this blog, we will be looking at How To Do Vulnerability Scanning In K8s With Kube-Hunter or a Vulnerability scanning tool, which is called as Kube-Hunter which is provided to us by AQUA Security.
We can use this tool to check if there are any Vulnerabilities in your Kubernetes Cluster.
There are many ways through which you can run this tool either you can download the binary of the latest release or You can use pip to install it.
- You should have a Kubernetes cluster running in your machine
- Make sure you have python 3 and pip installed
There are various ways through which you can install the Kube-hunter
- You can install it through pip
- Secondly, you can also install and use it as a docker container. It will do the scanning from outside the cluster.
- Thirdly you can run this as a pod and use it to scan your cluster for Vulnerabilities. Through this method we can do the scanning from inside the cluster.
- Lastly, you can directly download and install the latest binary
Now you must be wondering what is the difference between running Kube hunter from outside the cluster with docker container or pip and from inside the cluster with running as pod.
Running from outside the cluster will help you to get the vulnerabilities outside the cluster due to which anyone can get access to it and running you from inside. Will let you know about the vulnerabilities that are present inside.
To Install Kube-Hunter onto your machine run this command
pip install --user kube-hunter
Let’s check what options do we get through this tool
Now to check what all vulnerabilties do we have in our cluster , we need to run tests. So to check what all tests we can perform with Kube-hunter run this list command, and it will list all the test.
As you can see in the list , it has given all the test that it can perform along with its description about the test.
Scanning The Cluster :
Let’s Start doing the scans , For this you can run this command
Furthermore , You will be prompted with the list of options as shows below
This basically asks us to choose from the three types of scanning, Now let’s do the first one
Now when you choose option first. You will be asked to enter remotes IP’s separated by comma which you can get by running this command.
In your terminal which will give you the list of nodes in your cluster along with Their IP
kubectl get nodes -o wide
Note: For demo purpose, I have checked this tool on 1 clusters, one i created with minikube
Here in remotes, you have to give the IP of your nodes
Here you can see it says No vulnerabilities were found, along with that you will notice it has also given the list of services running on the nodes along with their description.
Since no vulnerabilities is found so we can say that no one can attack this cluster from outside.
Testing this tool on a Multi-Node Cluster
To test this, I created a multi-node cluster with 2 worker nodes and 1 master and on this, we will be doing the vulnerability scanning.
Let’s do a scanning on master node
You will see the vulnerability listed here with all the information. You can also visit the website and search about the vulnerability with its ID. Here you can see the Vulnerability is K8 version Disclosure and it has also given the description that the Kubernetes version could be obtained from the /version endpoint.
Now if you want to get the report of this scan in any of the formats either YAML or JSON or plain, You can visit the kube-hunter –help and see what else flags you have and you can run it by combining it.
suppose it we want to get the JSON format of Scanning
kube-hunter --remote 172.19.0.6 -- report json
Similarly, you can go for other formats as well. Now Let’s run this Kube-hunter as pod and see what vulnerabilities are present inside the cluster
Running Kube-Hunter as Pod
To run this as a pod, you can simply visit their website the find a configuration job file, which you can download and apply. Let’s see how the contents of that file looks like
--- apiVersion: batch/v1 kind: Job metadata: name: kube-hunter spec: template: metadata: labels: app: kube-hunter spec: containers: - name: kube-hunter image: aquasec/kube-hunter:0.6.8 command: ["kube-hunter"] args: ["--pod"] restartPolicy: Never
I hope it is easy to understand, now let’s apply this manifest through this command
kubectl apply -f filename
Now you might be wondering, we have run this pod but what about vulnerability scanning, in order to check the scanning results , you simply have to get the logs of the pod.
You can here see there are many vulnerabilities because we are running it as a pod inside the cluster. Now you can see each of these vulnerabilities has got an ID and you can visit the URL shown in the output there you can search this ID and you will find more information on this Vulnerability along with its remediation solution.
So; In this blog we have seen that how To Do Vulnerability Scanning In K8s With Kube-Hunter and what are the various ways we ran the kube hunter. I hope this blog will help you.