Aqua Security has made its new Kube-hunter open-source tool generally available, enabling organizations to conduct penetration tests against Kubernetes container orchestration deployments.
Aqua released Kube-hunter on Aug.17, and project code is freely available on GitHub. Rather than looking for vulnerabilities inside of container images, Kube-hunter looks for exploitable vulnerabilities in the configuration and deployment of Kubernetes clusters. The project code is open-source and can be run against an organization's own clusters, with additional online reporting capabilities provided by Aqua Security.
"Kube-hunter uses our new open source code," Liz Rice, technology evangelist at Aqua Security, told eWEEK. "It's written in Python and designed to be easy for the community to add more tests or hunters."
Aqua Security is a container security platform vendor that launched its first commercial product in May 2016. The company has enhanced its platform over the years, growing from just supporting Docker containers to providing protection for container orchestration systems including Kubernetes.
While Aqua Security has a commercial platform, it has also built a series of open-source tools that help organizations validate different aspects of container security. Among Aqua's open-source tools is microscanner, which scans container images for known vulnerabilities. Microscanner examines the contents of application images and doesn’t look at the setup of Kubernetes, according to Rice.
Another Aqua Security open-source tool is Kube-bench, which runs a series of tests against the Center for Internet Security (CIS) Kubernetes benchmark. Rice said Kube-bench only checks configuration against CIS best practices and doesn’t employ real-world attack vectors to actually test them.
"Kube-hunter is a penetration testing tool, which means it actually tries to penetrate your cluster using methods an attacker might use," she said.
Many types of risks that penetration testers will often scan for in an engagement are hard-coded or default credentials. Rice said Kube-hunter doesn't look inside container images for that kind of sensitive data, but it can run tests that probe for data leaks. For example, she noted that there is already a test in Kube-hunter that examines TLS certificates for email addresses. Those addresses could be used by an attacker in a phishing attack. Rice added that it's feasible that other tests could be added to Kube-hunter to search for other sensitive data in just the way an attacker might.
Scanning for vulnerable Kubernetes clusters is not a new phenomenon. On June 18, security firm Lacework released a report in which it identified 21,169 publicly facing container orchestration platforms. Security researchers can also simply use the shodan.io search tool to look for publicly accessible Kubernetes clusters. Rice emphasized that what Kube-hunter does is different than a simple shodan search, for a variety of reasons.
"First, it can be deployed inside a pod, so it doesn't only attack your cluster from the outside, but from the inside, simulating what an attack might look like if you've already been compromised," Rice said. "Additionally, running Kube-hunter with the –active parameter will attempt to run exploits that take advantage of the gaps found—for example, extract the build date of Kubernetes when there's an exposed proxy."
By making Kube-hunter open-source, Rice said the goal is to involve the larger security community. She noted that additional developers, whether independent, working for other vendors or within end-user organizations, can add more attack vector tests, improve the existing ones, and test the tool on a wider variety of environments and setups.
"We hope to see a lot of feedback as it's being used, and of course from other developers," Rice said. "As Kubernetes continues to evolve, its configuration will also become more complicated, creating more opportunities for the uninformed to leave gaps."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.