KubeHound: Create a graph of attack paths in a Kubernetes cluster

KubeHound

KubeHound creates a graph of attack paths in a Kubernetes cluster, allowing you to identify direct and multi-hop routes an attacker can take, visually or through complex graph queries.

KubeHound can identify more than 25 attacks, from container escapes to lateral movement.

After it has ingested data from your cluster, it can easily answer advanced questions such as:

  • What are all possible container escapes in the cluster?
  • What is the shortest exploitable path between a publicly-exposed service and a cluster administrator role?
  • Is there an attack path from a specific container to a node in the cluster?

KubeHound was built with efficiency in mind and can consequently handle very large clusters. Ingestion and computation of attack paths typically take a few seconds for a cluster with 1’000 running pods, 2 minutes for 10’000 pods, and 5 minutes for 25’000 pods.

Architecture

KubeHound works in 3 steps:

  1. Connect to your Kubernetes cluster and read API resources (pods, nodes, permissions…)
  2. Compute attack paths
  3. Write the results to a local graph database (JanusGraph)

After the initial ingestion is done, you use a compatible client or the provided Jupyter Notebook to visualize and query attack paths in your cluster.

Under the hood, KubeHound leverages a caching and persistence layer (Redis and MongoDB) while computing attack paths. As an end user, this is mostly transparent to you.

 

Install & Use

Copyright 2023-Present Datadog, Inc.