From f80217499bed72e72d2e336765f0de2f9576d87a Mon Sep 17 00:00:00 2001 From: jt-dd <112463504+jt-dd@users.noreply.github.com> Date: Wed, 9 Oct 2024 14:48:12 +0200 Subject: [PATCH] Fix local dev env with datadog (#279) --- deployments/kubehound/README.md | 2 +- .../docker-compose.dev.ingestor.yaml | 4 + .../docker-compose.release.ingestor.yaml | 17 +-- deployments/kubehound/kubehound.env.tpl | 14 ++ docs/khaas/deployment.md | 2 +- docs/user-guide/khaas-101.md | 142 ------------------ 6 files changed, 22 insertions(+), 159 deletions(-) create mode 100644 deployments/kubehound/kubehound.env.tpl delete mode 100644 docs/user-guide/khaas-101.md diff --git a/deployments/kubehound/README.md b/deployments/kubehound/README.md index 0eeda5c25..871434768 100644 --- a/deployments/kubehound/README.md +++ b/deployments/kubehound/README.md @@ -10,4 +10,4 @@ If you want you can also use directly the compose files without `kubehound` bina ## KubeHound as a Service - ingestor - Docker deployment -To deploy KHaaS ingestor services please refer to [docker-deployment](https://kubehound.io/user-guide/khaas-101/#docker-deployment) \ No newline at end of file +To deploy KHaaS ingestor services please refer to [docker-deployment](https://kubehound.io/user-guide/khaas-101/#docker-deployment) diff --git a/deployments/kubehound/docker-compose.dev.ingestor.yaml b/deployments/kubehound/docker-compose.dev.ingestor.yaml index 1cce289ed..b443768bd 100644 --- a/deployments/kubehound/docker-compose.dev.ingestor.yaml +++ b/deployments/kubehound/docker-compose.dev.ingestor.yaml @@ -9,6 +9,10 @@ services: - "127.0.0.1:9000:9000" networks: - kubenet + env_file: + - kubehound.env + labels: + com.datadoghq.ad.logs: '[{"app": "grpc", "service": "kubehound"}]' networks: kubenet: diff --git a/deployments/kubehound/docker-compose.release.ingestor.yaml b/deployments/kubehound/docker-compose.release.ingestor.yaml index 9fc3b7d73..b5fab0a64 100644 --- a/deployments/kubehound/docker-compose.release.ingestor.yaml +++ b/deployments/kubehound/docker-compose.release.ingestor.yaml @@ -7,21 +7,8 @@ services: - "127.0.0.1:9000:9000" networks: - kubenet - environment: - # Custom config for docker compose environment - - KH_MONGODB_URL=mongodb://mongodb:27017 - - KH_JANUSGRAPH_URL=ws://kubegraph:8182/gremlin - # Default config - - KH_INGESTOR_API_ENDPOINT=0.0.0.0:9000 - - KH_INGESTOR_TEMP_DIR=/tmp/kubehound - - KH_INGESTOR_MAX_ARCHIVE_SIZE=2147483648 # 2GB - - KH_INGESTOR_ARCHIVE_NAME=archive.tar.gz - # AWS Bucket configuration - - KH_INGESTOR_REGION=us-east-1 - - KH_INGESTOR_BUCKET_URL= # s3:// - - AWS_ACCESS_KEY_ID= - - AWS_SECRET_ACCESS_KEY= - - AWS_SESSION_TOKEN= # for aws-vault generated credentials + env_file: + - kubehound.env networks: kubenet: diff --git a/deployments/kubehound/kubehound.env.tpl b/deployments/kubehound/kubehound.env.tpl new file mode 100644 index 000000000..da31fb326 --- /dev/null +++ b/deployments/kubehound/kubehound.env.tpl @@ -0,0 +1,14 @@ +# Custom config for docker compose environment +KH_MONGODB_URL=mongodb://mongodb:27017 +KH_JANUSGRAPH_URL=ws://kubegraph:8182/gremlin +# Default config +KH_INGESTOR_API_ENDPOINT=0.0.0.0:9000 +KH_INGESTOR_TEMP_DIR=/tmp/kubehound +KH_INGESTOR_MAX_ARCHIVE_SIZE=2147483648 # 2GB +KH_INGESTOR_ARCHIVE_NAME=archive.tar.gz +# AWS Bucket configuration +KH_INGESTOR_REGION=us-east-1 +KH_INGESTOR_BUCKET_URL="" # s3:// +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_SESSION_TOKEN= # for aws-vault generated credentials diff --git a/docs/khaas/deployment.md b/docs/khaas/deployment.md index 87661904b..78a78aa2f 100644 --- a/docs/khaas/deployment.md +++ b/docs/khaas/deployment.md @@ -6,7 +6,7 @@ ## Docker deployment -To run the KubeHound as a Service with `docker` just use the following [compose files](https://github.com/DataDog/KubeHound/tree/main/deployments/kubehound): +To run the KubeHound as a Service with `docker` just use the following [compose files](https://github.com/DataDog/KubeHound/tree/main/deployments/kubehound). First you need to set the environment variables in the `kubehound.env` file. There is a template file `kubehound.env.template` that you can use as a reference. ```bash cd ./deployments/kubehound diff --git a/docs/user-guide/khaas-101.md b/docs/user-guide/khaas-101.md deleted file mode 100644 index ade1ecb21..000000000 --- a/docs/user-guide/khaas-101.md +++ /dev/null @@ -1,142 +0,0 @@ -# KubeHound as a Service (KHaaS) - -KHaaS enables you to use KubeHound in a distributive way. It is being splitted in 2 main categories: - -- The ingestor stack which includes the `graphdb`, `storedb`, `UI` and `grpc endpoint`. -- The collector (the kubehound binary) which will dump and send the k8s resources to the KHaaS `grpc endpoint`. - -[![](../images/khaas-architecture.png)](../images/khaas-architecture.png) - -!!! note - - You need to deploy the data storage you want to use ([AWS s3 in our example](https://github.com/DataDog/KubeHound/tree/main/deployments/terraform)). - -## Deploying KHaaS - Ingestor stack - -### Docker deployment - -To run the KubeHound as a Service with `docker` just use the following [compose files](https://github.com/DataDog/KubeHound/tree/main/deployments/kubehound): - -```bash -cd ./deployments/kubehound -docker compose -f docker-compose.yaml -f docker-compose.release.yaml -f docker-compose.release.ingestor.yaml up -d -``` - -By default the endpoints are only exposed locally: - -- `127.0.0.1:9000` for ingestor endpoint. -- `127.0.0.1:8888` for the UI. - -!!! warning - - You should change the default password by editing `NOTEBOOK_PASSWORD=` in the `docker-compose.yaml` - -### k8s deployment - -To run the KubeHound as a Service on Kubernetes just use the following [helm files](https://github.com/DataDog/KubeHound/tree/main/deployments/k8s): - -```bash -cd ./deployments/k8s -helm install khaas khaas --namespace khaas --create-namespace -``` - -If it succeeded you should see the deployment listed: - -```bash -$ helm ls -A -NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -khaas khaas 1 2024-07-30 19:04:37.0575 +0200 CEST deployed kubehound-0.0.1 -``` - -!!! warning - - This is an example to deploy KubeHound as a Service in k8s cluster, but you will need to adapt it to your own environment. - -## KubeHound collector - -In order to use `kubehound` with KHaaS, you need to specify the api endpoint you want to use: - -- `--khaas-server` from the inline flags (by default `127.0.0.1:9000`) - -Since this is not likely to change in your environment, we advise you to use the local config file. By default KubeHound will look for `./kubehound.yaml` or `$HOME/.config/kubehound.yaml`. As example here we set the default endpoint with disabled SSL. - -```yaml -ingestor: - api: - endpoint: "127.0.0.1:9000" - insecure: true -``` - -!!! note - - You can use [kubehound-reference.yaml](https://github.com/DataDog/KubeHound/blob/main/configs/etc/kubehound-reference.yaml) as an example which list every options. - -!!! warning "deprecated" - - The `kubehound-ingestor` has been deprecated since **v1.5.0** and renamed to `kubehound-binary`. - -### Dump and ingest - -In order to use the collector with KHaaS you need to specify the cloud location you want to dump the k8s resources: - -- `--bucket` from the inline flags (i.e. `s3://`). There is no default value for security reason. -- `--region` from the inline flags (i.e. `us-east-1`) to set the region to retrieve the configuration (only for s3). - -!!! warning - - The `kubehound` binary needs to have push access to your cloud storage provider. - -If you don't want to specify the bucket every time, you can set it up in your local config file. -(`./kubehound.yaml` or `$HOME/.config/kubehound.yaml`). - -```yaml -ingestor: - blob: - # (i.e.: s3://) - bucket_url: "" - # (i.e.: us-east-1) - region: "" -``` - -!!! note - - You can use [kubehound-reference.yaml](https://github.com/DataDog/KubeHound/blob/main/configs/etc/kubehound-reference.yaml) as an example which list every options. - -Once everything is configured you just run the following, it will: - -- **dump the k8s resources** to the cloud storage provider. -- send a grpc call to **run the ingestion on the KHaaS** grpc endpoint. - -```bash -kubehound dump remote -``` - -or with the flags (for AWS s3): - -```bash -kubehound dump remote --khaas-server 127.0.0.1:9000 --insecure --bucket s3:// --region us-east-1 -``` - -!!! note - - The ingestion will dump the current cluster being setup, if you want to skip the interactive mode, just specify `-y` or `--non-interactive` - -### Manual ingestion - -If you want to rehydrate (reingesting all the latest clusters dumps), you can use the `ingest` command to run it. - -```bash -kubehound ingest remote -``` - -or with the flags: - -```bash -kubehound ingest remote --khaas-server 127.0.0.1:9000 --insecure -``` - -You can also specify a specific dump by using the `--cluster` and `run_id` flags. - -```bash -kubehound ingest remote --cluster my-cluster-1 --run_id 01htdgjj34mcmrrksw4bjy2e94 -```