kube-hunter — Install, Use, Optimise (2026)

Kubernetes attack-surface scanner — finds API servers, kubelets, etcd exposure, and known CVEs in your cluster.

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx

pipx install kube-hunter

Docker

docker run -it --rm --network host aquasec/kube-hunter

In-cluster as Pod (most realistic)

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-hunter/main/job.yaml

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

External scan (find exposed components)

kube-hunter --remote 10.0.0.5

Internal scan (run inside cluster)

kube-hunter --pod

Active scan (attempts exploitation)

kube-hunter --pod --active

CIDR network scan

kube-hunter --cidr 10.0.0.0/24

JSON output

kube-hunter --report json --log info

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

• Internal pod scan is the most realistic — finds attack paths a compromised container could take.
• --active attempts exploits — only on test clusters. Production scans use passive only.
• --quick skips slow checks (port-scanning ranges) — 3× faster.
• External scan needs to know cluster IPs — run after recon.
• Combine with kubectl-who-can for RBAC analysis after kube-hunter finds the API server.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

• Active mode can crash hostile clusters — DO NOT run on prod even if scope says authorised.
• External scan from outside firewall typically returns 0 findings on managed K8s (EKS/AKS/GKE). Useful only for self-hosted.
• kube-hunter checks for known CVEs — fast-moving K8s release cycle means it lags. Pair with manual kubectl version + CVE check.
• Reports may include cluster topology — confidential.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

• kubescape (ARMO) — modern, NSA Kubernetes Hardening Guide aligned.
• kubeaudit — Shopify, runs as kubectl plugin.
• Trivy K8s — Aquasec’s newer combined scanner.

India context and engagement notes

For Indian SaaS running on EKS/GKE: kube-hunter from inside an unprivileged pod is the gold-standard simulation of “what can a compromised app do?” Combine with Falco for runtime detection of any kube-hunter activity.

⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.