Deploying KHaaS - Ingestor stack
deprecated
The kubehound-ingestor has been deprecated since v1.5.0 and renamed to kubehound-binary.
Docker deployment
To run the KubeHound as a Service with docker just use the following compose files:
cd ./deployments/kubehound
docker compose -f docker-compose.yaml -f docker-compose.release.yaml -f docker-compose.release.ingestor.yaml --profile jupyter up -d
By default the endpoints are only exposed locally:
127.0.0.1:9000for ingestor endpoint.127.0.0.1:8888for the UI.
For the UI 2 profiles (--profile) are available, you need to pick one:
jupyterto spawn a Jupyter backend compatible with Janusgraph endpoint (aws graph-notebook).invanato spawn the Invana Studio, a dedicated UI for Janusgraph (this is also deploying the invana backend). We do not encourage to use as it is not maintained anymore.
Warning
You should change the default password by editing NOTEBOOK_PASSWORD=<your_password> in the docker-compose.yaml
k8s deployment
To run the KubeHound as a Service on Kubernetes just use the following helm files:
If it succeeded you should see the deployment listed:
$ helm ls -A
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
khaas khaas 1 2024-07-30 19:04:37.0575 +0200 CEST deployed kubehound-0.0.1
Note
This is an example to deploy KubeHound as a Service in k8s cluster, but you will need to adapt it to your own environment.
k8s collector
When deploying the collector inside a k8s cluster, we need to configure one of the following variable:
KH_K8S_CLUSTER_NAME: variable indicating the name of the targetted k8s cluster
RBAC requirements
In order for the collector to work it needs access to the k8s API and the following k8s ClusterRole:
| apiGroups | resources | verb |
|---|---|---|
| rbac.authorization.k8s.io | roles rolebindings clusterroles clusterrolebindings |
get list |
| pods nodes |
get list |
|
| discovery.k8s.io | endpointslices | get list |
The definition of the k8s RBAC can find here: