Tooling

Container & Kubernetes Pentesting

kube-hunter, Kubescape, Peirates — attacking and auditing containerised infra.

Containers and Kubernetes broke a lot of long-held network assumptions. The pentest toolkit reflects that — image triage, cluster recon, IAM-style RBAC abuse, runtime breakouts. For defensive runtime see Runtime Security (Falco / Tetragon). For supply chain see Security Scanning (Trivy / Grype) and Image Supply Chain. For cloud-side IAM see Cloud Pentesting.

Cluster recon / external

  • kube-hunter (Aqua) — penetration-test for Kubernetes; finds misconfigured kubelets, exposed dashboards, etcd, anonymous API servers. Free.
  • kube-bench (Aqua) — runs the CIS Kubernetes Benchmark; "is this control configured?" Free.
  • Kubescape (Armo, CNCF) — security posture / NSA-CISA hardening; compliance frameworks; SBOM. Free.
  • kubeaudit (Shopify) — manifests / cluster scan for common misconfigurations.
  • Polaris (Fairwinds) — best-practice manifest checker.

In-cluster / post-foothold

  • Peirates — k8s privilege-escalation toolkit; once you have a pod shell, it pivots to cluster-wide impact (mounts service-account tokens, escapes via host-path, raids namespaces). Free.
  • Bust-a-Kube — vulnerable k8s playground (defender-side practice).
  • Kdigger (Quarkslab) — context discovery tool — "what can I see / do from this pod?" Free.
  • kubectl-who-can — who has permission to do X.
  • rakkess — RBAC matrix view.
  • MKAT (Datadog) — Managed Kubernetes Auditing Toolkit (EKS-focused).

Container escape primitives

  • deepce — Docker escape enumeration.
  • CDK (Container DevOps Killchain) — container privesc / escape toolkit.
  • DEEPCE / amicontained — container detection / escapes.
  • botb (Break-out-the-Box) — older; still illustrative.
  • Known CVEs: CVE-2019-5736 (runC), CVE-2022-0185 (FUSE), leaky-vessels (Snyk 2024 runc / BuildKit).

Image scanning / triage

  • Trivy (Aqua) — vuln + secret + IaC; the default scanner. Free. See Security Scanning.
  • Grype (Anchore) — alternative.
  • dive — explore an image's layers; see what's inside.
  • dockle — container-image linting / best practice.
  • clair (RedHat) — older registry scanner.

Registry / supply chain

  • cosign verify at admission — see Image Supply Chain.
  • Sigstore tooling — see same.
  • falco-driver-loader / falcosidekick — runtime detection plug-ins; see Runtime Security.

Cloud-managed K8s specifics

  • EKS-specific: MKAT, IAM-policy-attribute analysis, pod-identity / IRSA review.
  • GKE-specific: Workload Identity audit, GKE-specific node-IAM checks.
  • AKS-specific: managed-identity binding review, RBAC drift.
  • See Cloud Pentesting for cloud-side credential harvesting.

Network policy / runtime

  • Cilium / NetworkPolicy editor (networkpolicy.io) — visualise / draft policies.
  • kubesec.io — hardening score.
  • Tracee / Falco — runtime detection of pod escapes.
  • Tetragon — eBPF enforcement.

Lab / training environments

  • Bust-a-Kube, Kubernetes-goat (Madhu Akula), Kubeoats, kctf (Google CTF), HackTheBox / TryHackMe k8s rooms.
  • kind / minikube / k3d — local clusters for lab work.

Pick this if…

  • External cluster pentest: kube-hunter + kube-bench.
  • Compliance / hardening posture: Kubescape or kubeaudit.
  • Post-foothold privesc: Peirates + Kdigger.
  • Image triage in CI: Trivy.
  • Cluster RBAC review: rakkess + kubectl-who-can.
  • Cloud-managed K8s recon: MKAT (EKS) + cloud-side toolkit.
  • Defender-side detection: Falco + Tetragon — see Runtime Security.

On this page