Self-Hosted Kubernetes Security Auditing: Kube-hunter vs Kubeaudit vs Peirates (2026)

Kubernetes clusters are complex distributed systems with dozens of potential attack surfaces: misconfigured RBAC, exposed API servers, privileged containers, writable host mounts, and insecure network policies. While compliance scanning and policy enforcement tools catch configuration drift, dedicated security auditing tools actively probe your cluster for vulnerabilities that automated policies miss.

In this guide, we compare three open-source Kubernetes security auditing tools: Kube-hunter from Aqua Security, Kubeaudit from Shopify, and Peirates from InGuardians. Each takes a fundamentally different approach — from external vulnerability hunting to configuration auditing to active penetration testing.

Overview

Kube-hunter

Kube-hunter is an open-source penetration testing tool developed by Aqua Security that actively hunts for security weaknesses in Kubernetes clusters. It can scan clusters from outside (remote mode), from within a pod (internal mode), or from a CI/CD pipeline. Kube-hunter simulates an attacker’s perspective, probing for misconfigurations, exposed services, and known vulnerabilities.

Key features:

• Remote scanning of Kubernetes API endpoints from outside the cluster
• Internal scanning from within a pod to detect lateral movement paths
• Active vulnerability discovery (not just passive scanning)
• Detection of exposed dashboards (Kubernetes Dashboard, Kibana, Grafana)
• Service account token harvesting and abuse detection
• Kubelet API exposure detection
• CIS benchmark alignment for known vulnerability categories

Installation and Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Install via pip
pip install kube-hunter

# Run a remote scan against your cluster
kube-hunter --remote <cluster-ip-or-domain>

# Run from inside the cluster (deploy as a pod)
kubectl run kube-hunter --image=aquasec/kube-hunter:latest --rm -i --tty

# Run with JSON output for CI/CD integration
kube-hunter --remote <cluster-ip> --json > results.json

# Run with specific vulnerability categories
kube-hunter --remote <cluster-ip> --include HunterCategory=Access,Identity

Deploying as a Kubernetes Job

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

apiVersion: batch/v1
kind: Job
metadata:
  name: kube-hunter-scan
  namespace: security-audit
spec:
  template:
    spec:
      containers:
        - name: kube-hunter
          image: aquasec/kube-hunter:latest
          command: ["kube-hunter", "--pod", "--json", "--report", "/results/kube-hunter-results.json"]
          volumeMounts:
            - name: results
              mountPath: /results
      restartPolicy: Never
      volumes:
        - name: results
          emptyDir: {}
  backoffLimit: 0

Kubeaudit

Kubeaudit is a Kubernetes security auditing tool developed by Shopify. It checks clusters against a set of security best practices and produces actionable audit results. Unlike Kube-hunter’s active probing approach, kubeaudit performs static analysis of cluster resources against known security controls — making it ideal for CI/CD pipeline integration and continuous compliance monitoring.

Key features:

• Static analysis of Kubernetes resource manifests (YAML files)
• Live cluster auditing against running workloads
• Checks for privileged containers, host namespace sharing, and dangerous capabilities
• Detection of missing security contexts and resource limits
• Automated remediation suggestions with ready-to-apply patches
• Integration with Kubernetes admission controllers for pre-deployment checks
• Support for custom audit rules

Installation and Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Install via Homebrew (macOS)
brew install kubeaudit

# Install via Go
go install github.com/Shopify/kubeaudit@latest

# Audit a running cluster
kubeaudit all

# Audit Kubernetes YAML manifests
kubeaudit all -f deployment.yaml

# Audit with JSON output for CI/CD
kubeaudit all --json

# Generate a report of all security issues
kubeaudit all --exitcode 2

CI/CD Pipeline Integration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# GitHub Actions example for kubeaudit
name: K8s Security Audit
on: [push, pull_request]
jobs:
  kubeaudit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install kubeaudit
        run: |
          curl -sL https://github.com/Shopify/kubeaudit/releases/download/v0.22.0/kubeaudit_0.22.0_linux_amd64.tar.gz \
            -o kubeaudit.tar.gz
          tar -xzf kubeaudit.tar.gz kubeaudit
          chmod +x kubeaudit
      - name: Audit manifests
        run: |
          ./kubeaudit all -f k8s/ --exitcode 2

Peirates

Peirates is a Kubernetes penetration testing tool developed by InGuardians that automates the techniques attackers use to compromise Kubernetes clusters. Unlike passive scanners, Peirates actively exploits known vulnerabilities to demonstrate the real-world impact of security misconfigurations. It provides an interactive interface for security professionals to walk through attack paths.

Key features:

• Automated exploitation of common Kubernetes misconfigurations
• Service account token theft and privilege escalation
• Pod escape and host filesystem access techniques
• Secrets extraction from ConfigMaps, Secrets, and environment variables
• Lateral movement between pods and namespaces
• Persistent backdoor deployment for red team exercises
• Interactive menu-driven interface for guided penetration testing

Installation and Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Clone and build from source
git clone https://github.com/inguardians/peirates.git
cd peirates
go build -o peirates

# Run interactively
./peirates

# Deploy as a pod for in-cluster testing
kubectl run peirates --image=inguardians/peirates:latest --rm -i --tty -- \
  /bin/peirates --interactive

Example Attack Path Automation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

# Peirates automated scanning job
apiVersion: batch/v1
kind: Job
metadata:
  name: peirates-audit
  namespace: security-audit
spec:
  template:
    spec:
      serviceAccountName: peirates-sa
      containers:
        - name: peirates
          image: inguardians/peirates:latest
          command: ["/bin/peirates", "--scan", "--output", "/results/peirates-report.txt"]
          volumeMounts:
            - name: results
              mountPath: /results
      restartPolicy: Never
      volumes:
        - name: results
          emptyDir: {}
---
# Service account with read-only access for auditing
apiVersion: v1
kind: ServiceAccount
metadata:
  name: peirates-sa
  namespace: security-audit
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: peirates-readonly
subjects:
  - kind: ServiceAccount
    name: peirates-sa
    namespace: security-audit
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Security Auditing Methodology Comparison

These three tools represent different layers of Kubernetes security testing:

Kube-hunter acts like an external penetration tester. It probes your cluster from outside (or inside) looking for known weaknesses — exposed API servers, unauthenticated Kubelets, vulnerable dashboard deployments. It reports what an attacker could find and exploit, making it ideal for periodic security assessments.

Kubeaudit functions as a compliance auditor. It checks every resource against a predefined set of security controls — no privileged containers, no hostPath mounts, proper security contexts, resource limits set. It produces structured audit reports with remediation guidance, making it perfect for CI/CD gates and continuous compliance.

Peirates is an active exploitation framework. It doesn’t just identify vulnerabilities — it demonstrates their impact by executing real attack paths. This makes it the most powerful but also the most dangerous tool. Use Peirates only in controlled environments (staging clusters, dedicated red-team exercises) where active exploitation is intentional and expected.

Why Self-Host Kubernetes Security Auditing?

Running your own security auditing tools provides critical advantages over relying solely on cloud provider security assessments:

Continuous security posture monitoring. Cloud providers scan their infrastructure, not your workloads. Self-hosted auditing tools let you run security checks on your schedule — before every deployment, after every configuration change, or on a nightly cron job. This catches misconfigurations the moment they occur, not weeks later during a quarterly audit.

Red team capability without external cost. Professional Kubernetes penetration tests cost $15,000-$50,000 per engagement. Tools like Peirates and Kube-hunter let your security team run realistic attack simulations on demand, identifying the same vulnerabilities an external tester would find — at zero marginal cost.

CI/CD pipeline integration. Embedding security auditing directly into your deployment pipeline prevents insecure configurations from reaching production. Kubeaudit’s manifest scanning can block deployments that violate security policies, while Kube-hunter can scan staging environments after deployment to catch runtime issues.

Regulatory compliance evidence. Frameworks like SOC 2, PCI-DSS, and HIPAA require documented security testing. Running regular self-hosted security audits produces the evidence auditors need — scan reports, remediation tracking, and historical security posture trends — without paying for external assessment fees.

For related Kubernetes security tools, see our container hardening guide and supply chain security overview.

FAQ

What is the difference between Kube-hunter, Kubeaudit, and Peirates?

Kube-hunter actively probes for vulnerabilities from an attacker’s perspective (both remotely and internally). Kubeaudit performs static security analysis of cluster resources against best practices, ideal for CI/CD gates. Peirates actively exploits vulnerabilities to demonstrate real-world attack paths, designed for red team exercises.

Can I use these tools in production?

Kubeaudit is safe for production — it performs read-only static analysis with no active exploitation. Kube-hunter can be run in production in read-only mode, but its active scanning probes may trigger alerts. Peirates should NEVER be run in production without explicit authorization — it actively exploits vulnerabilities and could disrupt workloads.

How often should I run Kubernetes security audits?

Run Kubeaudit on every deployment (CI/CD pipeline integration). Run Kube-hunter weekly or after significant cluster changes. Run Peirates quarterly during planned red-team exercises. The frequency depends on your risk tolerance, compliance requirements, and the rate of change in your cluster.

Do these tools replace a professional penetration test?

No. These tools automate known vulnerability detection and common attack patterns. A professional penetration test brings human expertise, creative attack vectors, and business-context analysis that automated tools cannot replicate. Use these tools for continuous security hygiene, and professional testers for comprehensive annual assessments.

Which tool should I use if I’m new to Kubernetes security?

Start with Kubeaudit. It provides clear, actionable security findings with remediation guidance. Run it against your manifests before deploying and against your cluster regularly. Once comfortable with basic security controls, add Kube-hunter for active vulnerability discovery. Peirates should be used only by experienced security professionals.

Can these tools detect RBAC misconfigurations?

Yes, all three tools audit RBAC configurations. Kube-hunter detects overly permissive service accounts and cluster-admin bindings. Kubeaudit checks for wildcard verbs, excessive permissions, and missing role restrictions. Peirates attempts to exploit RBAC misconfigurations by escalating privileges through overly permissive roles.

Are these tools still actively maintained?

Kubeaudit had its last major update in August 2024, and Kube-hunter in March 2024. While not actively developed, both tools cover well-established vulnerability categories that remain relevant. Peirates is the most recently updated (April 2026). Even with slower development cycles, these tools effectively detect fundamental Kubernetes security misconfigurations that persist across versions.