kube-hunter:
is an open-source tool that hunts for security issues in your Kubernetes clusters. It’s designed to increase awareness and visibility of the security controls in Kubernetes environments.kube-hunter is available as a container (aquasec/kube-hunter), and we also offer a web site at kube-hunter.aquasec.com where you can register online to receive a token allowing you see and share the results online. You can also run the Python code yourself as described below.
Contribute: We welcome contributions, especially new hunter modules that perform additional tests. If you would like to develop your own modules please read Guidelines For Developing Your First kube-hunter Module.
Ref link : https://kube-hunter.aquasec.com/
kube-bench:
is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark."An objective, consensus-driven security guideline for the Kubernetes Server Software."
Note that it is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS and AKS, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
Sample Output:
CIS Kubernetes Benchmark support
kube-bench supports the tests for Kubernetes as defined in the CIS Benchmarks 1.0.0 to 1.4.0 respectively.CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions |
---|---|---|
1.0.0 | 1.6 | 1.6 |
1.1.0 | 1.7 | 1.7 |
1.2.0 | 1.8 | 1.8-1.10 |
1.3.0 | 1.11 | 1.11-1.12 |
1.4.0 | 1.13 | 1.13- |
By default kube-bench will determine the test set to run based on the Kubernetes version running on the machine.
Ref Link :
https://github.com/aquasecurity/kube-bench
https://www.cisecurity.org/benchmark/kubernetes/