https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
z

Zach Zeid

04/13/2020, 3:00 PM
Anyone use osquery in k8s at all?
s

seph

04/13/2020, 3:09 PM
I have. Others have.
z

Zach Zeid

04/13/2020, 3:25 PM
tryna understand a gap analysis between falco and osquery
s

sundsta

04/13/2020, 3:34 PM
Falco is syscalls only. That misses a lot of what osquery offers
z

Zach Zeid

04/13/2020, 4:47 PM
Are people using kube-query for osquery in k8s?
j

Jams

04/13/2020, 5:03 PM
Kube-query?
z

Zach Zeid

04/13/2020, 5:04 PM
s

seph

04/13/2020, 5:05 PM
a lot is going to depend on what you’re doing, and what levels of beta and code you can commit to. Using osquery to pull info about the k8s deployment, is different than using it to pull information about a running container is different tha pulling into about another container.
kube-query looks like an extension to pull metadata about the cluster. That’s kinda neat.
I’m pretty sure there are some docker tables in osquery, and there’s some ongoing work to improve visibility into other containers
I feel like I’ve seen another k8s extension, but I don’t keep those links
z

Zach Zeid

04/13/2020, 5:17 PM
Im asking because we have a team looking at Falco and I'm trying to understand what key differences there are between osquery and falco
s

seph

04/13/2020, 5:20 PM
Falco being syscalls is a big thing.
z

Zach Zeid

04/13/2020, 5:20 PM
as a positive?
s

seph

04/13/2020, 5:21 PM
Just big difference.
Depends what you're trying to monitor.
z

Zach Zeid

04/13/2020, 5:29 PM
does osquery not rely on syscalls? I thought it always used eBPF
s

seph

04/13/2020, 5:33 PM
osquery presents a sql interface to various OS and application APIs. Those conversations have been written by various people. See https://osquery.io/schema/4.2.0/ for the list of information.
There is some work to create more generalized BPF tooling.
z

Zach Zeid

04/13/2020, 5:39 PM
I think I understand. My assumption was that osquery did (or at least could be configured) to use eBPF. That doesn't appear to be the case.
s

seph

04/13/2020, 5:46 PM
It’s pretty beta. I can’t really speak to it
z

Zach Zeid

04/13/2020, 5:47 PM
Got it. Thank you for taking the time to answer my questions. This was incredibly helpful.
b

burdz

04/13/2020, 10:18 PM
We do not run any k8s specific tables (although have looked at kube-query along with extending/writing our own impl) however we do run osquery all of our clusters as a Daemonsets (with some mounts/perms that gives it more visibility into the node is it monitoring).
s

seph

04/13/2020, 10:34 PM
You may be interested in the upcoming container tables
m

Mike

04/14/2020, 2:45 AM
@burdz interesting to know that we can install osquery via Daemonset, can you please share the yaml file for it
s

SK

04/14/2020, 7:15 AM
@burdz Also interested to know about your Daemonset implementation, we already have some basic k8s visibility.
b

burdz

04/14/2020, 7:14 PM
certainly! let me clean up the yaml (littered with our helm tpls) and I can share it. I can also talk about some of the ideas we were thinking about for extentions to gain more visibility into our clusters. early days in our journey currently but definitely looking forward expanding our usage of it to monitoring our kube environments
s

seph

04/14/2020, 7:17 PM
https://github.com/osquery/osquery/pull/6209 and associated are the things y’all may be interested in
🦜 1
b

burdz

05/02/2020, 3:54 AM
apologizes my family had a close call with the global pandemic and I am just getting back to work now. I will share our configuration soon.
13 Views
Powered by