Create documentation website (#92)

Hosted on GitHub pages and generated through mkdocs
DataDog · Aug 11, 2023 · f77d26a · f77d26a
1 parent f0b1dc9
commit f77d26a
Show file tree

Hide file tree

Showing 56 changed files with 4,502 additions and 174 deletions.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -0,0 +1,34 @@
+name: generate-docs
+on:
+  workflow_dispatch: {} # allow manually triggering the workflow
+  push:
+    branches:
+      - main
+    paths:
+      - "docs/**"
+      - mkdocs.yml
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    permissions:
+      contents: write  # for mkdocs gh-deploy to publish docs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
+        with:
+          python-version: 3.x
+      - run: pip install mkdocs-material mkdocs-awesome-pages-plugin
+      - run: mkdocs gh-deploy --force
diff --git a/docs/application/DEVELOPER.md → DEVELOPER.md b/docs/application/DEVELOPER.md → DEVELOPER.md
diff --git a/docs/application/Architecture.excalidraw → docs/Architecture.excalidraw b/docs/application/Architecture.excalidraw → docs/Architecture.excalidraw
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -0,0 +1,23 @@
+# Architecture
+
+KubeHound works in 3 steps:
+
+1. Connect to your Kubernetes cluster and read API resources (pods, nodes, permissions...)
+2. Compute attack paths
+3. Write the results to a local graph database (JanusGraph)
+
+After the initial ingestion is done, you use a compatible client (such as [gdotv](https://gdotv.com/)) to visualize and query attack paths in your cluster.
+
+<!-- TODO: use proper captioning instead of center-->
+<center>
+[![KubeHound architecture](./images/kubehound-high-level.png)](./images/kubehound-high-level.png)
+<p><em>KubeHound architecture (click to enlarge)</em></p>
+</center>
+
+Under the hood, KubeHound leverages a caching and persistence layer (Redis and MongoDB) while computing attack paths. As an end user, this is mostly transparent to you.
+
+<!-- TODO: use proper captioning instead of center-->
+<center>
+[![KubeHound architecture](./images/kubehound-detailed.png)](./images/kubehound-detailed.png)
+<p><em>KubeHound detailed architecture (click to enlarge)</em></p>
+</center>
diff --git a/docs/comparison.md b/docs/comparison.md
@@ -0,0 +1,34 @@
+# Comparison with other tools
+
+## Lyft's [Cartography](https://github.com/lyft/cartography)
+
+Cartography has a [Kubernetes module](https://lyft.github.io/cartography/modules/kubernetes/index.html). While useful to vizualize a cluster, it only has a few types of resources and relationships. Consequently, it cannot be used for mapping attack paths in a Kubernetes cluster.
+
+## [BloodHound](https://github.com/SpecterOps/BloodHound)
+
+BloodHound is one of the first projects (and certainly the most popular) that introduced attack graphs mapping. It is currently focused on Active Directory and [Azure](https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html) environments, and does not support Kubernetes.
+
+## [BOtB](https://github.com/brompwnie/botb)
+
+BOtB is a pentesting tool that attempts to exploit common weaknesses. It runs from inside a compromised container. While very useful when performing a blackbox assessment, it doesn't have a full view of the cluster and does not attempt to find cluster-wide attack paths.
+
+
+## [BOtB](https://github.com/brompwnie/botb)
+
+BOtB is a pentesting tool that attempts to exploit common weaknesses. It runs from inside a compromised container. While very useful when performing a blackbox assessment, it doesn't have a full view of the cluster and does not attempt to find cluster-wide attack paths.
+
+## [peirates](https://github.com/inguardians/peirates)
+
+Similarly to BOtB, peirates is an offensive tool running from inside a pod. It doesn't have a full view of the cluster and does not attempt to find cluster-wide attack paths.
+
+## [rbac-police](https://github.com/PaloAltoNetworks/rbac-police)
+
+rbac-police allows you to retrieve the permissions associated to a specific identity in the cluster, which makes it easier to understand who has access to what. However, it does not look for attack paths in the cluster - it's focused on showing effective permissions of an identity.
+
+## [KubiScan](https://github.com/cyberark/KubiScan)
+
+KubeScan scans a Kubernetes cluster for risky permissions that allow an identity to escalate its privileges inside the cluster. It does not look for other types of attacks in the cluster, nor does it attempt to build an attack graph.
+
+## [kdigger](https://github.com/quarkslab/kdigger)
+
+Similarly to BOtB and peirates, kdigger runs from a compromised pod and attempts to retrieve information about the cluster and potential weaknesses. It does not have a full cluster view, nor does it attempt to build attack paths on a graph.
diff --git a/docs/contributing.md b/docs/contributing.md
@@ -0,0 +1,3 @@
+# Contributing
+
+Contributions are welcome! Refer to the [CONTRIBUTING](https://github.com/DataDog/KubeHound/blob/main/CONTRIBUTING.md) guide on how you can contribute to KubeHound, and what to expect.
diff --git a/docs/faq.md b/docs/faq.md
@@ -0,0 +1,3 @@
+# Frequently Asked Questions
+
+TODO
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# Contributing

		Contributions are welcome! Refer to the [CONTRIBUTING](https://github.com/DataDog/KubeHound/blob/main/CONTRIBUTING.md) guide on how you can contribute to KubeHound, and what to expect.