Skip to content

Commit

Permalink
[ASENG-814] Replace GDOTV as preferred UI (#164)
Browse files Browse the repository at this point in the history
  • Loading branch information
d0g0x01 authored Feb 21, 2024
1 parent 569e3f4 commit 1eb7670
Show file tree
Hide file tree
Showing 22 changed files with 1,561 additions and 456 deletions.
7 changes: 0 additions & 7 deletions DEVELOPER.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,6 @@ They are exposed here:
* Locally: http://127.0.0.1:8099/metrics
* Datadog: https://app.datadoghq.com/metric/summary?filter=kubehound.janusgraph


## MongoDB debug interface

A mongo express is deployed and allows you to browse the MongoDB. Thi service is accessible (the logs for this docker are not pushed to dd):
* http://127.0.0.1:8081


## Advanced command

In case of conflict/error, or just if you want to free some of your RAM, you can use `make system-test-clean` to destroy the backend stack dedicated to the system-test.
6 changes: 3 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,9 @@ endif

ifeq (,$(filter $(SYSTEM_TEST_CMD),$(MAKECMDGOALS)))
ifeq (${KUBEHOUND_ENV}, release)
DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.release.yaml
DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.release.yaml -f deployments/kubehound/docker-compose.ui.yaml
else ifeq (${KUBEHOUND_ENV}, dev)
DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.dev.yaml
DOCKER_COMPOSE_FILE_PATH += -f deployments/kubehound/docker-compose.dev.yaml -f deployments/kubehound/docker-compose.ui.yaml
endif

# No API key is being set
Expand Down Expand Up @@ -87,7 +87,7 @@ endif
all: build

.PHONY: generate
generate: ## Generate code the application
generate: ## Generate code for the application
go generate $(BUILD_FLAGS) ./...

.PHONY: build
Expand Down
14 changes: 9 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,9 @@ A Kubernetes attack graph tool allowing automated calculation of attack paths be
- [Infrastructure Setup](#infrastructure-setup)
- [Running Kubehound](#running-kubehound)
- [Using KubeHound Data](#using-kubehound-data)
- [Example queries](#example-queries)
- [Query data from your scripts](#query-data-from-your-scripts)
- [Python](#python)
- [Development](#development)
- [Build](#build)
- [Release build](#release-build)
Expand Down Expand Up @@ -133,7 +136,7 @@ Edit the variables (datadog env `DD_*` related and `KUBEHOUND_ENV`):
* `DD_API_KEY`: api key you created from https://app.datadoghq.com/ website

Note:
* `KUBEHOUND_ENV=dev` will build the images locally (and provide some local debugging containers e.g `mongo-express`)
* `KUBEHOUND_ENV=dev` will build the images locally
* `KUBEHOUND_ENV=release` will use prebuilt images from ghcr.io

### Running Kubehound
Expand Down Expand Up @@ -175,11 +178,12 @@ make help

## Using KubeHound Data

To query the KubeHound graph data requires using the [Gremlin](https://tinkerpop.apache.org/gremlin.html) query language via an API call or dedicated graph query UI. A number of graph query UIs are availble, but we recommend [gdotv](https://gdotv.com/). To access the KubeHound graph using `gdotv`:
To query the KubeHound graph data requires using the [Gremlin](https://tinkerpop.apache.org/gremlin.html) query language via an API call or dedicated graph query UI. A number of fully featured graph query UIs are available (both commercial and open source), but we provide an accompanying Jupyter notebook based on the [AWS Graph Notebook](https://github.com/aws/graph-notebook),to quickly showcase the capabilities of Kubehound. To access the UI:

+ Download and install the application from https://gdotv.com/
+ Create a connection to the local janusgraph instance by following the steps here https://docs.gdotv.com/connection-management/ and using `hostname=localhost`
+ Navigate to the query editor and enter a sample query e.g `g.V().count()`. See detailed instructions here: https://docs.gdotv.com/query-editor/#run-your-query
+ Visit [http://localhost:8888/notebooks/Kubehound.ipynb](http://localhost:8888/notebooks/Kubehound.ipynb) in your browser
+ Use the default password `admin` to login (note: this can be changed via the [Dockerfile](./deployments/kubehound/notebook/Dockerfile) or by setting the `NOTEBOOK_PASSWORD` environment variable in the [.env](./deployments/kubehound/.env.tpl) file)
+ Follow the initial setup instructions in the notebook to connect to the Kubehound graph and configure the rendering
+ Start running the queries and exploring the graph!

### Example queries

Expand Down
2 changes: 0 additions & 2 deletions deployments/kubehound/docker-compose.datadog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ services:
- DD_DOGSTATSD_NON_LOCAL_TRAFFIC=true
- DD_CONTAINER_LABELS_AS_TAGS={"com.docker.compose.service":"+app"}
- DD_CONTAINER_INCLUDE=name:kubehound-*
# https://github.com/DataDog/datadog-agent/issues/6599
- DD_CONTAINER_EXCLUDE=name:kubehound-dev-mongo-express
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /proc/:/host/proc/:ro
Expand Down
14 changes: 0 additions & 14 deletions deployments/kubehound/docker-compose.dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,20 +15,6 @@ services:
volumes:
- kubegraph_data:/var/lib/janusgraph

mongo-express:
image: mongo-express:1.0.0-alpha
profiles: ["infra"]
container_name: ${COMPOSE_PROJECT_NAME}-mongo-express
restart: unless-stopped
depends_on:
- mongodb
ports:
- "127.0.0.1:8081:8081"
networks:
- kubenet
environment:
- ME_CONFIG_MONGODB_SERVER=mongodb

volumes:
mongodb_data:
kubegraph_data:
Expand Down
15 changes: 15 additions & 0 deletions deployments/kubehound/docker-compose.ui.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: "3.8"
services:
notebook:
build: ./notebook/
restart: unless-stopped
container_name: ${COMPOSE_PROJECT_NAME}-notebook
ports:
- "127.0.0.1:8888:8888"
networks:
- kubenet
volumes:
- ./notebook/shared:/root/notebooks/shared

networks:
kubenet:
2 changes: 1 addition & 1 deletion deployments/kubehound/kubegraph/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ COPY dsl/kubehound/pom.xml /home/app
RUN mvn -f /home/app/pom.xml clean install

# Now build our janusgraph wrapper container with KubeHound customizations
FROM janusgraph/janusgraph:1.0.0-rc2
FROM janusgraph/janusgraph:1.0.0
LABEL org.opencontainers.image.source="https://github.com/DataDog/kubehound/"

# Add our initialization script for the database schema to the startup directory
Expand Down
6 changes: 2 additions & 4 deletions deployments/kubehound/kubegraph/kubehound-db-init.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -151,15 +151,13 @@ roleBinding = mgmt.makePropertyKey('roleBinding').dataType(String.class).cardina


// Define properties for each vertex
mgmt.addProperties(container, cls, cluster, runID, storeID, app, team, service, isNamespaced, namespace, name, image, privileged, privesc, hostPid,
hostIpc, hostNetwork, runAsUser, podName, nodeName, compromised, command, args, capabilities, ports);
mgmt.addProperties(container, cls, cluster, runID, storeID, app, team, service, isNamespaced, namespace, name, image, privileged, privesc, hostPid, hostIpc, hostNetwork, runAsUser, podName, nodeName, compromised, command, args, capabilities, ports);
mgmt.addProperties(identity, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, type, critical);
mgmt.addProperties(node, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, compromised, critical);
mgmt.addProperties(pod, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, sharedPs, serviceAccount, nodeName, compromised, critical);
mgmt.addProperties(permissionSet, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, role, roleBinding, rules, critical);
mgmt.addProperties(volume, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, type, sourcePath, mountPath, readonly);
mgmt.addProperties(endpoint, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, serviceEndpoint, serviceDns, addressType,
addresses, port, portName, protocol, exposure, compromised);
mgmt.addProperties(endpoint, cls, cluster, runID, storeID, app, team, service, name, isNamespaced, namespace, serviceEndpoint, serviceDns, addressType, addresses, port, portName, protocol, exposure, compromised);


// Create the indexes on vertex properties
Expand Down
Loading

0 comments on commit 1eb7670

Please sign in to comment.