|Graph||A data type to represent complex, non-linear relationships between objects|
|Vertex||The fundamental unit of which graphs are formed (also known as "node")|
|Edge||A connection between vertices (also known as "relationship")|
|Path||A sequence of edges which joins a sequence of vertices|
|Traversal||The process of visiting (checking and/or updating) each vertex in a graph|
An abstract representation of a Kubernetes component that form the vertices (nodes) of the attack graph. These do not necessarily have a one-to-mapping to Kubernetes objects, but represent a related construct in an attacker's mental model of the system. Each entity can be tied back to one (or more) Kubernetes object(s) from which it derived via vertex properties.
For instance, the
PermissionSet entity abstracts the Kubernetes
ClusterRole objects that have a
All edges in the KubeHound graph represent a net "improvement" in an attacker's position or a lateral movement opportunity. Thus, if any two vertices in the graph are connected we know immediately that an attacker can move between them. As such attack and edge are used interchangeably throughout the project.
An entity in KubeHound whose compromise would result in cluster admin (or equivalent) level access.