The Kubernetes attack surface within modern organizations is vast, with often tens or hundreds of thousands of containers. Understanding interdependencies in a system of this scale, in particular gaps left open by seemingly innocent configuration changes, is beyond human capability. As such, the current mental model of defense of Kubernetes assets remains list-based; attempting to identify vulnerable configurations of single resources. This illustrates the well-known adage: “Defenders think in lists, attackers think in graphs; as long as this is true, attackers win”.
The aim of the KubeHound project is to pivot the mental model of Kubernetes defense from list-based thinking to graph-based thinking. A graph database of Kubernetes attack paths can answer crucial questions for attackers and defenders alike:
- What percentage of internet facing services have an exploitable path to a critical asset?
- What type of control would cut off the largest number of attack paths to a critical asset in a cluster?
- What percentage level of attack path reduction was achieved by the introduction of a given control?
In short, single point security findings have little traction e.g container X has Y dangerous privileges is challenging for defensive teams to prioritize and fix, particularly when the finding does not have a direct impact by itself (e.g over-privileged account). But with KubeHound being a queryable, graph database of attack paths makes reasoning about security problems via data-driven testing of hypotheses extremely efficient.