Open Source 'Kube-Hunter' Does Kubernetes Penetration Testing
Aqua Security released the open source kube-hunter tool for penetration testing of Kubernetes clusters, used for container orchestration.
"You give it the IP or DNS name of your Kubernetes cluster, and kube-hunter probes for security issues -- it's like automated penetration testing," the company said in an Aug. 15 blog post.
The tool -- with source code available on GitHub -- is also packaged by the company in a containerized version, which works with the company's kube-hunter Web site where test results can be seen and shared.
The site lets developers enter an e-mail address to receive a Docker command to run, along with a provided token. "Copy that command and run it anywhere you have Docker installed, and you'll be prompted for the address of the cluster to test against. After the tests run you'll see a unique URL (associated with that token) for viewing the results, which you can send to anyone else who needs to see the results," Aqua Security said.
The company repeatedly warned that the tool is only for testing Kubernetes deployments owned by the developer/testing, not for probing other clusters.
"We thought carefully before releasing kube-hunter about the potential use of this by the bad guys; but truth be told they probably already do similar kinds of tests through generic tools (e.g. port scanning)," Aqua Security said. "We want to arm Kubernetes administrators, operators and engineers with an easy way to identify weaknesses in their deployments so that they can address those issues before they are exploited by attackers."
David Ramel is the editor of Visual Studio Magazine.