Fueling innovative software
July 15-18, 2019
Portland, OR

DIY pentesting for your Kubernetes cluster

Jeff Thorne (Aqua Security)
4:15pm4:55pm Thursday, July 18, 2019
Secondary topics:  Cloud Native
Average rating: *****
(5.00, 2 ratings)

Who is this presentation for?

  • People operating or installing Kubernetes clusters




Kube-hunter is an open source tool written in Python for pentesting a Kubernetes cluster. This kind of testing simulates what a hacker might do when trying to attack a deployment. The code chains together a number of hunter components, each of which explores a new step in a possible attack using an observer pattern.

Jeff Thorne discusses the motivations behind the project and explores some interesting aspects of how the project is implemented. You’ll learn how to test for the basics like an unsecured Kubelet API, simulate an attack from within a compromised container, and reuse the credentials from within a compromised container. You’ll leave ready to test your own Kubernetes cluster with kube-hunter and with new insights into the possible routes that an attacker might take to gain a foothold into your deployment. And perhaps you’ll even be inspired to submit a new hunter to the project.

Prerequisite knowledge

  • Familiarity with Kubernetes terminology like pod and node
  • Experience with the command line tool kubectl
  • A basic understanding of the main components in Kubernetes (like the API server and Kubelet)

What you'll learn

  • Learn how to use kube-hunter to test your own cluster for configuration issues that affect its security
Photo of Jeff Thorne

Jeff Thorne

Aqua Security

Jeff Thorne is a member of the DevRel team at Aqua Security. Previously, he was the director of technology and field engineering at Trend Micro and held various roles in the app dev and infosec community at VMware, Ooyala, and Third Brigade. He has extensive experience in hybrid cloud architectures, advanced breach detection, product management, and software engineering. Jeff is a proud Canuck and now calls Seattle home.