Kube-hunter
Definition
Kube-hunter is an open-source tool designed to identify security vulnerabilities in Kubernetes clusters. It performs active and passive reconnaissance to detect potential security issues, such as misconfigurations and exposed services, within the Kubernetes environment. Kube-hunter can be run in different modes, including remote scanning of a cluster or running as a pod within the cluster for more comprehensive analysis.
Secure Settings Example
# Example of a secure Kubernetes Pod configuration
apiVersion: v1
kind: Pod
metadata:
name: secure-pod
spec:
containers:
- name: secure-container
image: nginx:latest
securityContext:
runAsNonRoot: true
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
hostNetwork: false
hostPID: false
hostIPC: false
Insecure Settings Example
# Example of an insecure Kubernetes Pod configuration
apiVersion: v1
kind: Pod
metadata:
name: insecure-pod
spec:
containers:
- name: insecure-container
image: nginx:latest
securityContext:
privileged: true
runAsUser: 0
hostNetwork: true
hostPID: true
hostIPC: true