Home

Awesome

KubeHound

<p align="center"> <img src="./docs/logo.png" alt="KubeHound" width="300" /> </p> A Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster.

Quick Start

Requirements

To run KubeHound, you need a couple dependencies

Install and run

Select a target Kubernetes cluster, either:

Download binaries are available for Linux / Windows / Mac OS via the releases page or by running the following (Mac OS/Linux):

wget https://github.com/DataDog/KubeHound/releases/latest/download/kubehound-$(uname -o | sed 's/GNU\///g')-$(uname -m) -O kubehound
chmod +x kubehound
<details> <summary>MacOS Notes</summary>

If downloading the releases via a browser you must run e.g xattr -d com.apple.quarantine kubehound before running to prevent MacOS blocking execution

</details>

Then, simply run

./kubehound

For more advanced use case and configuration, see

Note: KubeHound can be deployed as a serivce (KHaaS), for more information.

Using KubeHound Data

To query the KubeHound graph data requires using the Gremlin query language via an API call or dedicated graph query UI. A number of fully featured graph query UIs are available (both commercial and open source), but we provide an accompanying Jupyter notebook based on the AWS Graph Notebook,to quickly showcase the capabilities of KubeHound. To access the UI:

Example queries

We have documented a few sample queries to execute on the database in our documentation. A specific DSL has been developped to query the Graph for the most basic use cases (KubeHound DSL).

Sample Attack Path

Example Path

Sample Data

To view a sample graph demonstrating attacks in a very, very vulnerable cluster you can generate data via running the app against the provided kind cluster:

make sample-graph

To view the generated graph see the Using KubeHound Data section.

Query data from your scripts

If you expose the graph endpoint you can automate some queries to gather some KPI and metadata for instance.

Python

You can query the database data in your python script by using the following snippet:

#!/usr/bin/env python
import sys
from gremlin_python.driver.client import Client

KH_QUERY = "kh.containers().count()"
c = Client("ws://127.0.0.1:8182/gremlin", "kh")
results = c.submit(KH_QUERY).all().result()

You'll need to install gremlinpython as a dependency via: pip install gremlinpython

Further information

Acknowledgements

KubeHound was created by the Adversary Simulation Engineering (ASE) team at Datadog:

With additional support from:

We would also like to acknowledge the BloodHound team for pioneering the use of graph theory in offensive security and inspiring us to create this project.