How To Do Vulnerability Scanning In K8s With Kube-Hunter :

Reading Time: 5 minutes

Hello Folks.. I hope you all are doing so well. In this blog, we will be looking at How To Do Vulnerability Scanning In K8s With Kube-Hunter or a Vulnerability scanning tool, which is called as Kube-Hunter which is provided to us by AQUA Security.

We can use this tool to check if there are any Vulnerabilities in your Kubernetes Cluster.

There are many ways through which you can run this tool either you can download the binary of the latest release or You can use pip to install it.

Prerequisite :

  1. You should have a Kubernetes cluster running in your machine
  2. Make sure you have python 3 and pip installed

Installing Kube-Hunter

There are various ways through which you can install the Kube-hunter

  1. You can install it through pip
  2. Secondly, you can also install and use it as a docker container. It will do the scanning from outside the cluster.
  3. Thirdly you can run this as a pod and use it to scan your cluster for Vulnerabilities. Through this method we can do the scanning from inside the cluster.
  4. Lastly, you can directly download and install the latest binary

Now you must be wondering what is the difference between running Kube hunter from outside the cluster with docker container or pip and from inside the cluster with running as pod.

Running from outside the cluster will help you to get the vulnerabilities outside the cluster due to which anyone can get access to it and running you from inside. Will let you know about the vulnerabilities that are present inside.

To Install Kube-Hunter onto your machine run this command

 pip install --user kube-hunter  
                                                                                                                                                      

Let’s check what options do we get through this tool

kube-hunter --help

Now to check what all vulnerabilties do we have in our cluster , we need to run tests. So to check what all tests we can perform with Kube-hunter run this list command, and it will list all the test.

Kube-hunter --list

As you can see in the list , it has given all the test that it can perform along with its description about the test.

Scanning The Cluster :

Let’s Start doing the scans , For this you can run this command

kube-hunter 

Furthermore , You will be prompted with the list of options as shows below

This basically asks us to choose from the three types of scanning, Now let’s do the first one

Now when you choose option first. You will be asked to enter remotes IP’s separated by comma which you can get by running this command.

In your terminal which will give you the list of nodes in your cluster along with Their IP

kubectl get nodes -o wide

Note: For demo purpose, I have checked this tool on 1 clusters, one i created with minikube

Here in remotes, you have to give the IP of your nodes

Here you can see it says No vulnerabilities were found, along with that you will notice it has also given the list of services running on the nodes along with their description.

Since no vulnerabilities is found so we can say that no one can attack this cluster from outside.

Testing this tool on a Multi-Node Cluster

To test this, I created a multi-node cluster with 2 worker nodes and 1 master and on this, we will be doing the vulnerability scanning.

Let’s do a scanning on master node

You will see the vulnerability listed here with all the information. You can also visit the website and search about the vulnerability with its ID. Here you can see the Vulnerability is K8 version Disclosure and it has also given the description that the Kubernetes version could be obtained from the /version endpoint.

Now if you want to get the report of this scan in any of the formats either YAML or JSON or plain, You can visit the kube-hunter –help and see what else flags you have and you can run it by combining it.

suppose it we want to get the JSON format of Scanning

kube-hunter --remote 172.19.0.6 -- report json

Similarly, you can go for other formats as well. Now Let’s run this Kube-hunter as pod and see what vulnerabilities are present inside the cluster

Running Kube-Hunter as Pod

To run this as a pod, you can simply visit their website the find a configuration job file, which you can download and apply. Let’s see how the contents of that file looks like

---
apiVersion: batch/v1

kind: Job

metadata:

  name: kube-hunter

spec:

  template:

    metadata:

      labels:

        app: kube-hunter

    spec:

      containers:

        - name: kube-hunter

          image: aquasec/kube-hunter:0.6.8

          command: ["kube-hunter"]

          args: ["--pod"]

      restartPolicy: Never

I hope it is easy to understand, now let’s apply this manifest through this command

kubectl apply -f filename
Now you can check the list of pods to see if it is running or not

Now you might be wondering, we have run this pod but what about vulnerability scanning, in order to check the scanning results , you simply have to get the logs of the pod.

You can here see there are many vulnerabilities because we are running it as a pod inside the cluster. Now you can see each of these vulnerabilities has got an ID and you can visit the URL shown in the output there you can search this ID and you will find more information on this Vulnerability along with its remediation solution.

Conclusion :

So; In this blog we have seen that how To Do Vulnerability Scanning In K8s With Kube-Hunter and what are the various ways we ran the kube hunter. I hope this blog will help you.

Happy Learning..

Reference :

https://kube-hunter.aquasec.com/

Written by 

Mayuri Dhote is a Software Consultant at Knoldus Software. She has completed her MCA from VIT University. She has very dedicated towards her work. She has always ready to learn new things. Her practice area is Devops. When not working, you will find her writing poems and poetry.