{"id":13521359,"url":"https://github.com/DataDog/KubeHound","last_synced_at":"2025-03-31T20:31:29.046Z","repository":{"id":197188755,"uuid":"640823067","full_name":"DataDog/KubeHound","owner":"DataDog","description":"Kubernetes Attack Graph","archived":false,"fork":false,"pushed_at":"2024-04-13T13:12:48.000Z","size":7015,"stargazers_count":614,"open_issues_count":13,"forks_count":29,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-04-14T03:37:17.488Z","etag":null,"topics":["adversary-emulation","attack-graph","attack-paths","cloud-native-security","exploit","kubernetes","kubernetes-security","mitre-attack","purple-team","red-team","security-audit","security-automation","security-tools"],"latest_commit_sha":null,"homepage":"https://kubehound.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DataDog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-05-15T07:48:42.000Z","updated_at":"2024-06-11T19:20:30.876Z","dependencies_parsed_at":null,"dependency_job_id":"38cf2ce6-fb44-479c-bedc-935c60e80002","html_url":"https://github.com/DataDog/KubeHound","commit_stats":null,"previous_names":["datadog/kubehound"],"tags_count":23,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2FKubeHound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2FKubeHound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2FKubeHound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DataDog%2FKubeHound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DataDog","download_url":"https://codeload.github.com/DataDog/KubeHound/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246535907,"owners_count":20793350,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["adversary-emulation","attack-graph","attack-paths","cloud-native-security","exploit","kubernetes","kubernetes-security","mitre-attack","purple-team","red-team","security-audit","security-automation","security-tools"],"created_at":"2024-08-01T06:00:33.279Z","updated_at":"2025-03-31T20:31:29.038Z","avatar_url":"https://github.com/DataDog.png","language":"Go","readme":"# KubeHound\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./docs/logo.png\" alt=\"KubeHound\" width=\"300\" /\u003e\n\u003c/p\u003e\nA Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster.\n\n## Quick Start\n\n### Requirements\n\nTo run KubeHound, you need a couple dependencies\n+ [Docker](https://docs.docker.com/engine/install/) `\u003e= 19.03` \n+ [Docker Compose](https://docs.docker.com/compose/compose-file/compose-versioning/) `V2`\n\n### Install\n\n#### From Release\n\nDownload binaries are available for Linux / Windows / Mac OS via the [releases](https://github.com/DataDog/KubeHound/releases) page or by running the following (Mac OS/Linux):\n```bash\nwget https://github.com/DataDog/KubeHound/releases/latest/download/kubehound-$(uname -o | sed 's/GNU\\///g')-$(uname -m) -O kubehound\nchmod +x kubehound\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eMacOS Notes\u003c/summary\u003e\n\nIf downloading the releases via a browser you must run e.g `xattr -d com.apple.quarantine kubehound` before running to prevent [MacOS blocking execution](https://support.apple.com/en-gb/guide/mac-help/mchleab3a043/mac)\n\n\u003c/details\u003e\n\n#### With homebrew\n\nKubeHound is available in homebrew-core and you can simply run\n```bash\nbrew update \u0026\u0026 brew install kubehound\n```\n\n`kubehound` should now be in your path.\n\n#### From source\n\nIf you wish to build KubeHound from source, you will need to checkout a tag before building\n```bash\ngit clone https://github.com/DataDog/KubeHound.git\ncd KubeHound\ngit checkout $(git describe --tags --abbrev=0)\nmake build\n```\n\nKubeHound binary will be output to `./bin/build/kubehound`.\n\n### Run\n\nSelect a target Kubernetes cluster, either:\n* Using [kubectx](https://github.com/ahmetb/kubectx)\n* Using specific kubeconfig file by exporting the env variable: `export KUBECONFIG=/your/path/to/.kube/config`\n\nThen, simply run the `kubehound` binary:\n```bash\n# If you installed it from brew, it is in your path\nkubehound\n\n# If you installed it from release, it should be were you downloaded it\n./kubehound\n\n# If you installed it from source, it should be in the \u003crepo_path\u003e/bin/build folder\n./bin/build/kubehound\n```\n\nFor more advanced use case and configuration, see \n\n* [advanced configuration](https://kubehound.io/user-guide/advanced-configuration/): all the settings available through the configuration file.\n* [common operations](https://kubehound.io/user-guide/common-operations/): the commands available from the KubeHound binary (`dump` / `ingest`).\n* [common errors](https://kubehound.io/user-guide/troubleshooting/): troubleshooting guide.\n\n\u003e Note: \n  KubeHound can be deployed as a serivce (KHaaS), [for more information](https://kubehound.io/khaas/getting-started/).\n\n## Using KubeHound Data\n\nTo query the KubeHound graph data requires using the [Gremlin](https://tinkerpop.apache.org/gremlin.html) query language via an API call or dedicated graph query UI. A number of fully featured graph query UIs are available (both commercial and open source), but we provide an accompanying Jupyter notebook based on the [AWS Graph Notebook](https://github.com/aws/graph-notebook),to quickly showcase the capabilities of KubeHound. To access the UI:\n\n+ Visit [http://localhost:8888/notebooks/KubeHound.ipynb](http://localhost:8888/notebooks/KubeHound.ipynb) in your browser\n+ Use the default password `admin` to login (note: this can be changed via the [Dockerfile](./deployments/kubehound/notebook/Dockerfile) or by setting the `NOTEBOOK_PASSWORD` environment variable in the [.env](./deployments/kubehound/.env.tpl) file)\n+ Follow the initial setup instructions in the notebook to connect to the KubeHound graph and configure the rendering\n+ Start running the queries and exploring the graph!\n\n### Example queries\n\nWe have documented a few sample queries to execute on the database in [our documentation](https://kubehound.io/queries/gremlin/). A specific DSL has been developped to query the Graph for the most basic use cases ([KubeHound DSL](https://kubehound.io/queries/dsl/)).\n\n## Sample Attack Path\n\n![Example Path](./docs/images/example-graph.png)\n\n### Sample Data\n\nTo view a sample graph demonstrating attacks in a very, very vulnerable cluster you can generate data via running the app against the provided kind cluster:\n\n```bash\nmake sample-graph\n```\n\nTo view the generated graph see the [Using KubeHound Data](#using-kubehound-data) section. \n\n## Query data from your scripts\n\nIf you expose the graph endpoint you can automate some queries to gather some KPI and metadata for instance. \n\n### Python\n\nYou can query the database data in your python script by using the following snippet:\n\n```python\n#!/usr/bin/env python\nimport sys\nfrom gremlin_python.driver.client import Client\n\nKH_QUERY = \"kh.containers().count()\"\nc = Client(\"ws://127.0.0.1:8182/gremlin\", \"kh\")\nresults = c.submit(KH_QUERY).all().result()\n```\n\nYou'll need to install `gremlinpython` as a dependency via: `pip install gremlinpython`\n\n## Further information\n\n+ For an overview of the application architecture see the [design canvas](./docs/Architecture.excalidraw)\n+ To see the attacks covered see the [edge definitions](./docs/reference/attacks)\n+ To contribute a new attack to the project follow the [contribution guidelines](./CONTRIBUTING.md)\n\n## Acknowledgements\n\nKubeHound was created by the Adversary Simulation Engineering (ASE) team at Datadog:\n\n+ Jeremy Fox [@0xff6a](https://www.twitter.com/0xff6a)\n+ Julien Terriac\n+ Edouard Schweisguth [@edznux](https://www.twitter.com/edznux)\n\nWith additional support from:\n\n+ Christophe Tafani-Dereeper [@christophetd](https://twitter.com/christophetd)\n\nWe would also like to acknowledge the [BloodHound](https://github.com/BloodHoundAD/BloodHound) team for pioneering the use of graph theory in offensive security and inspiring us to create this project. \n","funding_links":[],"categories":["文章","Go","Kubernetes cluster security"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDataDog%2FKubeHound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FDataDog%2FKubeHound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FDataDog%2FKubeHound/lists"}