Skip to main content

kube-hunter

kube-hunter is an open-source Kubernetes penetration testing tool developed by Aqua Security. It simulates attacker behavior to identify misconfigurations, insecure setups, and potential vulnerabilities in Kubernetes clusters. kube-hunter is particularly useful for discovering open ports, exposed services, and weak access controls that may lead to lateral movement or privilege escalation.

It supports both passive and active hunting modes, enabling safe inspection or deep penetration testing of environments.

Official site: https://aquasecurity.github.io/kube-hunter/
GitHub repository: https://github.com/aquasecurity/kube-hunter

Usage

You can run kube-hunter either remotely (from outside the cluster) or from within a pod for internal hunting.

Install via pip

pip install kube-hunter

Run in Remote Scanning Mode

kube-hunter --remote <target-node-ip>

This mode scans for publicly exposed services and ports on a given IP.

Run Inside the Cluster

Deploy kube-hunter as a pod inside the cluster for internal reconnaissance:

kubectl run kube-hunter --rm -it \
  --image=aquasec/kube-hunter \
  --serviceaccount=kube-hunter \
  --restart=Never

Run in Active Hunting Mode

kube-hunter --active

This mode simulates real attacks and should only be run in non-production environments with permission.

Example Findings

kube-hunter may report:

  • Exposed Dashboard or Kubelet APIs
  • Anonymous access to the API Server
  • Accessible etcd endpoints
  • Insecure use of hostPath volumes
  • Privileged containers or pods

Best Practices

  • Use kube-hunter in non-production or isolated environments only.
  • Perform periodic scans to identify newly introduced misconfigurations.
  • Run both internal and external scans to test different attack surfaces.
  • Combine with other tools (e.g., Trivy, kube-bench) for complete posture analysis.
  • Regularly update kube-hunter to benefit from new attack signatures and fixes.
  • Integrate with CI pipelines for proactive misconfiguration detection (optional).

Summary

kube-hunter helps security teams and cluster operators identify Kubernetes misconfigurations before attackers do. It’s a valuable addition to Kubernetes security assessments, especially during penetration testing, threat modeling, or pre-production readiness checks.

Last updated on by Itai Ganot