Kube-Hunter Cheatsheet¶
- [Kopieren auf Clipboard](https://LINK_0___
- [PDF herunterladen](LINK_0__*
Überblick¶
Kube-hunter ist ein Penetrationstest-Tool, das auf die Suche nach Sicherheitsschwächen in Kubernetes Clustern ausgelegt ist. Es simuliert die Techniken, die von Angreifern verwendet werden, um Kubernetes Umgebungen zu kompromittieren und bietet detaillierte Berichte über entdeckte Schwachstellen und mögliche Angriffswege.
Schlüsselmerkmale¶
- **Active Vulnerability Hunting*: Entdeckt und nutzt Kubernetes Schwachstellen
- **Multiple Scanning Modes*: Remote, interne und Netzwerk-Scanning-Funktionen
- **Attack Path Discovery*: Karten potentielle Angriffsvektoren und Privileg Eskalationspfade
- ** Umfassende Reporting*: Detaillierte Schwachstellenberichte mit Abhilfeführung
- **CI/CD Integration*: Einfache Integration in Sicherheitspipelines
- **Custom Hunters*: Umfangreiche Rahmenbedingungen für benutzerdefinierte Sicherheitskontrollen
Installation¶
Binärinstallation¶
```bash
Download latest release¶
curl -L https://github.com/aquasecurity/kube-hunter/releases/latest/download/kube-hunter_Linux_x86_64 -o kube-hunter chmod +x kube-hunter sudo mv kube-hunter /usr/local/bin/
Verify installation¶
kube-hunter --version ```_
Python Installation¶
```bash
Install via pip¶
pip install kube-hunter
Install from source¶
git clone https://github.com/aquasecurity/kube-hunter.git cd kube-hunter pip install -r requirements.txt python setup.py install
Verify installation¶
kube-hunter --version ```_
Installation von Containern¶
```bash
Pull Docker image¶
docker pull aquasec/kube-hunter:latest
Run as container¶
docker run --rm --network host aquasec/kube-hunter:latest ```_
Kubernets Job Installation¶
```yaml
kube-hunter-job.yaml¶
apiVersion: batch/v1 kind: Job metadata: name: kube-hunter spec: template: spec: containers: - name: kube-hunter image: aquasec/kube-hunter:latest command: ["kube-hunter"] args: ["--pod"] restartPolicy: Never backoffLimit: 4 ```_
Basisnutzung¶
Scanmodus¶
```bash
Remote scanning (external perspective)¶
kube-hunter --remote some.node.com
Internal scanning (from within cluster)¶
kube-hunter --internal
Network scanning (discover and scan)¶
kube-hunter --cidr 192.168.1.0/24
Pod scanning (from within a pod)¶
kube-hunter --pod
Interface scanning¶
kube-hunter --interface eth0 ```_
Ausgabeformate¶
```bash
JSON output¶
kube-hunter --report json
YAML output¶
kube-hunter --report yaml
Plain text output (default)¶
kube-hunter --report plain
Save to file¶
kube-hunter --report json --log /tmp/kube-hunter-report.json ```_
Scanoptionen¶
```bash
Quick scan (passive only)¶
kube-hunter --quick
Active hunting (potentially disruptive)¶
kube-hunter --active
Include statistics¶
kube-hunter --statistics
Verbose output¶
kube-hunter --verbose
Dispatch all hunters¶
kube-hunter --dispatch ```_
Erweiterte Scantechniken¶
Network Discovery und Scanning¶
```bash
Scan multiple CIDR ranges¶
kube-hunter --cidr 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Scan specific IP ranges¶
kube-hunter --remote 10.0.1.1-10.0.1.100
Scan with custom ports¶
kube-hunter --remote target.com --port 8080,8443,10250
Network interface scanning¶
kube-hunter --interface eth0,eth1 ```_
Active Hunting Konfiguration¶
```bash
Enable active hunting with specific modules¶
kube-hunter --active --hunter-modules kubelet,api-server
Active hunting with custom payloads¶
kube-hunter --active --payload-file custom-payloads.yaml
Active hunting with timeout¶
kube-hunter --active --timeout 300
Active hunting with rate limiting¶
kube-hunter --active --rate-limit 10 ```_
Benutzerdefinierte Hunter Konfiguration¶
```python
custom_hunter.py¶
from kube_hunter.core.types import Hunter, KubernetesCluster from kube_hunter.core.events import handler
@handler.subscribe(KubernetesCluster) class CustomHunter(Hunter): """Custom vulnerability hunter"""
def __init__(self, event):
self.event = event
def execute(self):
# Custom vulnerability detection logic
self.publish_event(CustomVulnerability())
class CustomVulnerability(Vulnerability, Event): """Custom vulnerability event"""
def __init__(self):
Vulnerability.__init__(
self,
component="Custom Component",
name="Custom Vulnerability",
category=InformationDisclosure,
)
self.evidence = "Custom evidence"
```_
Spezielles Scannen von Cloud Providern¶
Amazon EKS¶
```bash
EKS cluster scanning¶
kube-hunter --remote eks-cluster.region.eks.amazonaws.com
EKS with IAM authentication¶
export AWS_PROFILE=eks-profile kube-hunter --remote eks-cluster.region.eks.amazonaws.com --eks
EKS worker node scanning¶
kube-hunter --cidr 10.0.0.0/16 --active ```_
Google GKE¶
```bash
GKE cluster scanning¶
kube-hunter --remote gke-cluster.googleapis.com
GKE with service account¶
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service-account.json kube-hunter --remote gke-cluster.googleapis.com --gke
GKE node pool scanning¶
kube-hunter --cidr 10.128.0.0/20 --active ```_
AKS¶
```bash
AKS cluster scanning¶
kube-hunter --remote aks-cluster.region.azmk8s.io
AKS with Azure CLI authentication¶
az login kube-hunter --remote aks-cluster.region.azmk8s.io --aks
AKS subnet scanning¶
kube-hunter --cidr 10.240.0.0/16 --active ```_
CI/CD Integration¶
GitHub Aktionen¶
```yaml
.github/workflows/kube-hunter.yml¶
name: Kube-hunter Security Scan
on: push: branches: [ main ] pull_request: branches: [ main ] schedule: - cron: '0 3 * * *' # Daily at 3 AM
jobs: kube-hunter-scan: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.9'
- name: Install Kube-hunter
run: |
pip install kube-hunter
- name: Configure kubectl
run: |
echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > kubeconfig
export KUBECONFIG=kubeconfig
- name: Run Kube-hunter scan
run: |
# Remote scan
kube-hunter --remote ${{ secrets.CLUSTER_ENDPOINT }} \
--report json --log kube-hunter-remote.json
# Internal scan via job
kubectl apply -f - <<EOF
apiVersion: batch/v1
kind: Job
metadata:
name: kube-hunter-internal
spec:
template:
spec:
containers:
- name: kube-hunter
image: aquasec/kube-hunter:latest
command: ["kube-hunter"]
args: ["--pod", "--report", "json"]
restartPolicy: Never
EOF
kubectl wait --for=condition=complete job/kube-hunter-internal --timeout=300s
kubectl logs job/kube-hunter-internal > kube-hunter-internal.json
- name: Parse results
run: |
python3 << 'EOF'
import json
import sys
def parse_results(file_path):
try:
with open(file_path, 'r') as f:
data = json.load(f)
return data
except:
return {"vulnerabilities": []}
# Parse remote scan
remote_data = parse_results('kube-hunter-remote.json')
remote_vulns = len(remote_data.get('vulnerabilities', []))
# Parse internal scan
internal_data = parse_results('kube-hunter-internal.json')
internal_vulns = len(internal_data.get('vulnerabilities', []))
total_vulns = remote_vulns + internal_vulns
print(f"Remote vulnerabilities: {remote_vulns}")
print(f"Internal vulnerabilities: {internal_vulns}")
print(f"Total vulnerabilities: {total_vulns}")
# Set environment variables for next steps
with open('GITHUB_ENV', 'a') as f:
f.write(f"REMOTE_VULNS={remote_vulns}\n")
f.write(f"INTERNAL_VULNS={internal_vulns}\n")
f.write(f"TOTAL_VULNS={total_vulns}\n")
EOF
- name: Upload results
uses: actions/upload-artifact@v3
with:
name: kube-hunter-results
path: |
kube-hunter-*.json
- name: Comment PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const remoteVulns = process.env.REMOTE_VULNS;
const internalVulns = process.env.INTERNAL_VULNS;
const totalVulns = process.env.TOTAL_VULNS;
const comment = `## Kube-hunter Security Scan Results
- **Remote vulnerabilities:** ${remoteVulns}
- **Internal vulnerabilities:** ${internalVulns}
- **Total vulnerabilities:** ${totalVulns}
${totalVulns > 0 ? '⚠️ Vulnerabilities detected! Please review the detailed results.' : '✅ No vulnerabilities detected.'}`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
- name: Fail on vulnerabilities
if: env.TOTAL_VULNS > 0
run: |
echo "❌ Kube-hunter found $TOTAL_VULNS vulnerabilities"
exit 1
```_
GitLab CI¶
```yaml
.gitlab-ci.yml¶
stages: - security
kube-hunter-scan: stage: security image: aquasec/kube-hunter:latest script: - kube-hunter --remote $CLUSTER_ENDPOINT --report json --log kube-hunter-results.json artifacts: reports: container_scanning: kube-hunter-results.json paths: - kube-hunter-results.json expire_in: 1 week only: - main - merge_requests
kube-hunter-internal: stage: security image: bitnami/kubectl:latest script: - kubectl apply -f kube-hunter-job.yaml - kubectl wait --for=condition=complete job/kube-hunter --timeout=300s - kubectl logs job/kube-hunter > kube-hunter-internal.json artifacts: paths: - kube-hunter-internal.json expire_in: 1 week only: - main ```_
Jenkins Pipeline¶
```groovy // Jenkinsfile pipeline { agent any
environment {
KUBECONFIG = credentials('kubeconfig')
CLUSTER_ENDPOINT = credentials('cluster-endpoint')
}
stages {
stage('Kube-hunter Scan') {
parallel {
stage('Remote Scan') {
steps {
script {
// Install kube-hunter
sh 'pip install kube-hunter'
// Run remote scan
sh '''
kube-hunter --remote $CLUSTER_ENDPOINT \
--report json --log kube-hunter-remote.json
'''
}
}
}
stage('Internal Scan') {
steps {
script {
// Run internal scan via Kubernetes job
sh '''
kubectl apply -f - <<EOF
apiVersion: batch/v1 kind: Job metadata: name: kube-hunter-internal-\({BUILD_NUMBER} spec: template: spec: containers: - name: kube-hunter image: aquasec/kube-hunter:latest command: ["kube-hunter"] args: ["--pod", "--report", "json"] restartPolicy: Never EOF kubectl wait --for=condition=complete job/kube-hunter-internal-\) --timeout=300s kubectl logs job/kube-hunter-internal-\({BUILD_NUMBER} > kube-hunter-internal.json kubectl delete job kube-hunter-internal-\) ''' } } } } }
stage('Analyze Results') {
steps {
script {
// Parse and analyze results
def remoteResults = readJSON file: 'kube-hunter-remote.json'
def internalResults = readJSON file: 'kube-hunter-internal.json'
def remoteVulns = remoteResults.vulnerabilities?.size() ?: 0
def internalVulns = internalResults.vulnerabilities?.size() ?: 0
def totalVulns = remoteVulns + internalVulns
echo "Remote vulnerabilities: ${remoteVulns}"
echo "Internal vulnerabilities: ${internalVulns}"
echo "Total vulnerabilities: ${totalVulns}"
// Set build description
currentBuild.description = "Vulnerabilities: ${totalVulns}"
// Fail build if vulnerabilities found
if (totalVulns > 0) {
currentBuild.result = 'UNSTABLE'
error("Kube-hunter found ${totalVulns} vulnerabilities")
}
}
}
}
}
post {
always {
archiveArtifacts artifacts: 'kube-hunter-*.json', fingerprint: true
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'kube-hunter-*.json',
reportName: 'Kube-hunter Security Report'
])
}
}
} ```_
Automatisierungsskripte¶
Umfassendes Scannen von Skript¶
```bash
!/bin/bash¶
comprehensive-kube-hunter.sh¶
set -e
Configuration¶
RESULTS_DIR="kube-hunter-results" TIMESTAMP=\((date +%Y%m%d_%H%M%S) CLUSTER_ENDPOINT="\)" CIDR_RANGES="${CIDR_RANGES:-10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
Create results directory¶
mkdir -p "$RESULTS_DIR"
echo "Starting comprehensive Kube-hunter security scan..."
Function to run scan¶
run_scan() { local scan_type="\(1" local target="\)2" local output_file="\(3" local additional_args="\)4"
echo "Running $scan_type scan..."
case "$scan_type" in
"remote")
kube-hunter --remote "$target" --report json --log "$output_file" $additional_args
;;
"cidr")
kube-hunter --cidr "$target" --report json --log "$output_file" $additional_args
;;
"internal")
kube-hunter --internal --report json --log "$output_file" $additional_args
;;
"pod")
kubectl apply -f - <<EOF
apiVersion: batch/v1 kind: Job metadata: name: kube-hunter-pod-\(TIMESTAMP spec: template: spec: containers: - name: kube-hunter image: aquasec/kube-hunter:latest command: ["kube-hunter"] args: ["--pod", "--report", "json", \(additional_args] restartPolicy: Never EOF kubectl wait --for=condition=complete job/kube-hunter-pod-\)TIMESTAMP --timeout=300s kubectl logs job/kube-hunter-pod-\)TIMESTAMP > "\(output_file" kubectl delete job kube-hunter-pod-\)TIMESTAMP ;; esac }
Main scanning logic¶
main() { # Remote scanning if [ -n "\(CLUSTER_ENDPOINT" ]; then run_scan "remote" "\)CLUSTER_ENDPOINT" "\(RESULTS_DIR/remote-scan-\)TIMESTAMP.json" "--statistics" run_scan "remote" "\(CLUSTER_ENDPOINT" "\)RESULTS_DIR/remote-active-scan-$TIMESTAMP.json" "--active --statistics" fi
# Network scanning
run_scan "cidr" "$CIDR_RANGES" "$RESULTS_DIR/network-scan-$TIMESTAMP.json" "--statistics"
run_scan "cidr" "$CIDR_RANGES" "$RESULTS_DIR/network-active-scan-$TIMESTAMP.json" "--active --statistics"
# Internal scanning (if kubectl is configured)
if kubectl cluster-info &>/dev/null; then
run_scan "internal" "" "$RESULTS_DIR/internal-scan-$TIMESTAMP.json" "--statistics"
run_scan "pod" "" "$RESULTS_DIR/pod-scan-$TIMESTAMP.json" "--statistics"
fi
# Generate comprehensive report
python3 << 'EOF'
import json import os import glob from datetime import datetime
def parse_kube_hunter_results(file_path): try: with open(file_path, 'r') as f: data = json.load(f) return data except: return {"vulnerabilities": [], "hunter_statistics": []}
def generate_comprehensive_report(): results_dir = "kube-hunter-results" timestamp = os.environ.get('TIMESTAMP', datetime.now().strftime('%Y%m%d_%H%M%S'))
# Find all result files
result_files = glob.glob(f"{results_dir}/*-{timestamp}.json")
all_vulnerabilities = []
all_statistics = []
scan_summary = {}
for file_path in result_files:
scan_type = os.path.basename(file_path).split('-')[0]
data = parse_kube_hunter_results(file_path)
vulnerabilities = data.get('vulnerabilities', [])
statistics = data.get('hunter_statistics', [])
all_vulnerabilities.extend(vulnerabilities)
all_statistics.extend(statistics)
scan_summary[scan_type] = {
'vulnerabilities': len(vulnerabilities),
'file': file_path
}
# Generate summary report
report = {
'timestamp': datetime.now().isoformat(),
'scan_summary': scan_summary,
'total_vulnerabilities': len(all_vulnerabilities),
'vulnerability_breakdown': {},
'hunter_statistics': all_statistics,
'vulnerabilities': all_vulnerabilities
}
# Categorize vulnerabilities
for vuln in all_vulnerabilities:
category = vuln.get('category', 'Unknown')
if category not in report['vulnerability_breakdown']:
report['vulnerability_breakdown'][category] = 0
report['vulnerability_breakdown'][category] += 1
# Save comprehensive report
with open(f"{results_dir}/comprehensive-report-{timestamp}.json", 'w') as f:
json.dump(report, f, indent=2)
# Print summary
print(f"\n=== Kube-hunter Comprehensive Scan Summary ===")
print(f"Timestamp: {report['timestamp']}")
print(f"Total Vulnerabilities: {report['total_vulnerabilities']}")
print(f"\nScan Breakdown:")
for scan_type, summary in scan_summary.items():
print(f" {scan_type}: {summary['vulnerabilities']} vulnerabilities")
print(f"\nVulnerability Categories:")
for category, count in report['vulnerability_breakdown'].items():
print(f" {category}: {count}")
# Return exit code based on vulnerabilities
return 1 if report['total_vulnerabilities'] > 0 else 0
exit_code = generate_comprehensive_report() exit(exit_code)
EOF
echo "Comprehensive scan completed. Results saved in $RESULTS_DIR/"
}
Export timestamp for Python script¶
export TIMESTAMP
Run main function¶
main ```_
Automatisierte Entfernung Script¶
```bash
!/bin/bash¶
kube-hunter-remediation.sh¶
set -e
RESULTS_FILE="\(1" REMEDIATION_LOG="kube-hunter-remediation-\)(date +%Y%m%d_%H%M%S).log"
if [ -z "$RESULTS_FILE" ]; then
echo "Usage: $0
echo "Starting automated remediation based on Kube-hunter results..." echo "Results file: $RESULTS_FILE" echo "Remediation log: $REMEDIATION_LOG"
Function to apply remediation¶
apply_remediation() { local vuln_id="\(1" local description="\)2" local evidence="$3"
echo "Applying remediation for vulnerability: $description" | tee -a "$REMEDIATION_LOG"
echo "Evidence: $evidence" | tee -a "$REMEDIATION_LOG"
case "$vuln_id" in
"KHV002")
# K8s Version Disclosure
echo "Remediating K8s Version Disclosure..." | tee -a "$REMEDIATION_LOG"
kubectl patch configmap kube-proxy -n kube-system --type='merge' -p='{"data":{"config.conf":"mode: iptables\nclusterCIDR: 10.244.0.0/16\n"}}' 2>&1 | tee -a "$REMEDIATION_LOG"
;;
"KHV005")
# Access to pod's secrets
echo "Remediating pod secrets access..." | tee -a "$REMEDIATION_LOG"
kubectl create rolebinding default-view --clusterrole=view --serviceaccount=default:default --namespace=default 2>&1 | tee -a "$REMEDIATION_LOG"
;;
"KHV050")
# Read access to pod's service account token
echo "Remediating service account token access..." | tee -a "$REMEDIATION_LOG"
kubectl patch serviceaccount default -p '{"automountServiceAccountToken":false}' 2>&1 | tee -a "$REMEDIATION_LOG"
;;
"KHV053")
# Pod Security Policy not enabled
echo "Enabling Pod Security Policy..." | tee -a "$REMEDIATION_LOG"
kubectl apply -f - <<EOF 2>&1 | tee -a "$REMEDIATION_LOG"
apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: - ALL volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' runAsUser: rule: 'MustRunAsNonRoot' seLinux: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' EOF ;; *) echo "No automated remediation available for vulnerability: \(description" | tee -a "\)REMEDIATION_LOG" echo "Manual remediation required" | tee -a "$REMEDIATION_LOG" ;; esac }
Parse JSON results and apply remediations¶
python3 << EOF import json import subprocess import sys
def run_remediation(vuln_id, description, evidence): try: subprocess.run(['bash', '-c', f'apply_remediation "{vuln_id}" "{description}" "{evidence}"'], check=True) return True except subprocess.CalledProcessError as e: print(f"Failed to apply remediation for {vuln_id}: {e}") return False
Load results¶
with open('$RESULTS_FILE', 'r') as f: data = json.load(f)
remediation_count = 0 success_count = 0
for vuln in data.get('vulnerabilities', []): vuln_id = vuln.get('vid', 'Unknown') description = vuln.get('description', 'Unknown') evidence = vuln.get('evidence', 'No evidence')
print(f"Attempting remediation for vulnerability {vuln_id}: {description}")
remediation_count += 1
if run_remediation(vuln_id, description, evidence):
success_count += 1
print(f"\nRemediation Summary:") print(f"Total remediations attempted: {remediation_count}") print(f"Successful remediations: {success_count}") print(f"Failed remediations: {remediation_count - success_count}")
EOF
echo "Remediation completed. Check $REMEDIATION_LOG for details." ```_
Monitoring und Alerting Script¶
```bash
!/bin/bash¶
kube-hunter-monitor.sh¶
set -e
Configuration¶
SLACK_WEBHOOK_URL="\({SLACK_WEBHOOK_URL:-}" EMAIL_RECIPIENTS="\)" THRESHOLD_HIGH="\({THRESHOLD_HIGH:-0}" THRESHOLD_MEDIUM="\)"
Function to send Slack notification¶
send_slack_notification() { local message="\(1" local color="\)2"
if [ -n "$SLACK_WEBHOOK_URL" ]; then
curl -X POST -H 'Content-type: application/json' \
--data "{
\"attachments\": [{
\"color\": \"$color\",
\"title\": \"Kube-hunter Security Scan Results\",
\"text\": \"$message\",
\"footer\": \"Kube-hunter Monitor\",
\"ts\": $(date +%s)
}]
}" \
"$SLACK_WEBHOOK_URL"
fi
}
Function to send email notification¶
send_email_notification() { local subject="\(1" local body="\)2"
if [ -n "$EMAIL_RECIPIENTS" ]; then
echo "$body" | mail -s "$subject" "$EMAIL_RECIPIENTS"
fi
}
Run kube-hunter scan¶
echo "Running Kube-hunter security scan..." kube-hunter --remote "${CLUSTER_ENDPOINT}" --report json --log scan-results.json
Parse results¶
python3 << 'EOF' import json import sys import os
Load results¶
with open('scan-results.json', 'r') as f: data = json.load(f)
Count vulnerabilities by severity¶
high_count = 0 medium_count = 0 low_count = 0
for vuln in data.get('vulnerabilities', []): severity = vuln.get('severity', 'low').lower() if severity == 'high': high_count += 1 elif severity == 'medium': medium_count += 1 else: low_count += 1
Write summary to file¶
with open('scan-summary.txt', 'w') as f: f.write(f"HIGH_COUNT={high_count}\n") f.write(f"MEDIUM_COUNT={medium_count}\n") f.write(f"LOW_COUNT={low_count}\n")
print(f"Scan completed: {high_count} high, {medium_count} medium, {low_count} low severity vulnerabilities")
EOF
Load summary¶
source scan-summary.txt
Determine alert level¶
if [ "\(HIGH_COUNT" -gt "\)THRESHOLD_HIGH" ]; then ALERT_LEVEL="critical" COLOR="danger" elif [ "\(MEDIUM_COUNT" -gt "\)THRESHOLD_MEDIUM" ]; then ALERT_LEVEL="warning" COLOR="warning" else ALERT_LEVEL="good" COLOR="good" fi
Create notification message¶
MESSAGE="Kube-hunter Security Scan Results: • High severity: $HIGH_COUNT • Medium severity: $MEDIUM_COUNT • Low severity: $LOW_COUNT • Alert level: $ALERT_LEVEL"
Send notifications¶
send_slack_notification "\(MESSAGE" "\)COLOR" send_email_notification "Kube-hunter Security Scan - \(ALERT_LEVEL" "\)MESSAGE"
Exit with appropriate code¶
if [ "\(HIGH_COUNT" -gt "\)THRESHOLD_HIGH" ]; then echo "❌ Critical vulnerabilities found: \(HIGH_COUNT high severity" exit 1 elif [ "\)MEDIUM_COUNT" -gt "$THRESHOLD_MEDIUM" ]; then echo "⚠️ Warning threshold exceeded: $MEDIUM_COUNT medium severity" exit 2 else echo "✅ Security scan passed" exit 0 fi ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Network connectivity issues¶
kube-hunter --remote target.com --timeout 60
Permission issues¶
sudo kube-hunter --internal
Kubernetes API access issues¶
export KUBECONFIG=/path/to/kubeconfig kube-hunter --pod
Docker socket access issues¶
sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/kube-hunter:latest
Debug mode¶
kube-hunter --verbose --remote target.com ```_
Leistungsoptimierung¶
```bash
Reduce scan scope¶
kube-hunter --quick --remote target.com
Limit concurrent hunters¶
kube-hunter --rate-limit 5 --remote target.com
Increase timeout for slow networks¶
kube-hunter --timeout 300 --remote target.com
Use specific hunters only¶
kube-hunter --hunter-modules api-server,kubelet --remote target.com ```_
Konfigurationsvalidierung¶
```bash
Test connectivity¶
kube-hunter --remote target.com --quick
Validate Kubernetes access¶
kubectl cluster-info kube-hunter --pod
Check hunter modules¶
kube-hunter --list-hunters
Verify installation¶
kube-hunter --version kube-hunter --help ```_
Best Practices¶
Sicherheitsteststrategie¶
- Regular Scanning: wöchentliche Sicherheitsscans planen
- **Multi-Perspective Testing*: Verwenden Sie sowohl Remote- als auch interne Scans
- Active vs Passive: Balance gründliche Tests mit Sicherheit
- Baseline Establishment: Sicherheitsbasislinien erstellen
- Trend Monitoring: Trends der Schwachstelle im Laufe der Zeit verfolgen
Scannen von Richtlinien¶
- Leistungsmanagement: Verwenden Sie mindestens Privileg für Scans
- **Network Segmentation*: Test von verschiedenen Netzwerksegmenten
- Bedenken: Planen Sie Scans während der Wartungsfenster
- Dokumentation: Dokumentenbefunde und Abhilfemaßnahmen
- Validation: Wirksamkeit der Abhilfe überprüfen
Integration Best Practices¶
- **CI/CD Integration*: In Sicherheitspipelines enthalten
- Automatisierte Entfernung: Implementieren Sie sichere Autoremediation
- Alert Management: angemessene Warnschwellen festlegen
- Reporting: Aktionsfähige Sicherheitsberichte generieren
- Compliance: Einhaltung der Sicherheitsanforderungen
Dieses umfassende Kube-Hunter-Catsheet bietet alles, was für professionelle Kubernetes Sicherheitsjagd- und Penetrationstests benötigt wird, von der Basisnutzung bis hin zu fortschrittlichen Automatisierungs- und Integrationsszenarien.