Anyone use osquery in k8s at all?
# generalz
Zach Zeid
04/13/2020, 3:00 PMAnyone use osquery in k8s at all?
s
seph
04/13/2020, 3:09 PM
I have. Others have.
z
Zach Zeid
04/13/2020, 3:25 PMtryna understand a gap analysis between falco and osquery
s
sundsta
04/13/2020, 3:34 PMFalco is syscalls only. That misses a lot of what osquery offers
z
Zach Zeid
04/13/2020, 4:47 PMAre people using kube-query for osquery in k8s?
j
Jams
04/13/2020, 5:03 PMKube-query?
z
Zach Zeid
04/13/2020, 5:04 PMs
seph
04/13/2020, 5:05 PM
a lot is going to depend on what you’re doing, and what levels of beta and code you can commit to.
Using osquery to pull info about the k8s deployment, is different than using it to pull information about a running container is different tha pulling into about another container.
seph
04/13/2020, 5:06 PM
kube-query looks like an extension to pull metadata about the cluster. That’s kinda neat.
seph
04/13/2020, 5:06 PM
I’m pretty sure there are some docker tables in osquery, and there’s some ongoing work to improve visibility into other containers
seph
04/13/2020, 5:07 PM
I feel like I’ve seen another k8s extension, but I don’t keep those links
z
Zach Zeid
04/13/2020, 5:17 PMIm asking because we have a team looking at Falco and I'm trying to understand what key differences there are between osquery and falco
s
seph
04/13/2020, 5:20 PM
Falco being syscalls is a big thing.
z
Zach Zeid
04/13/2020, 5:20 PMas a positive?
s
seph
04/13/2020, 5:21 PM
Just big difference.
seph
04/13/2020, 5:21 PM
Depends what you're trying to monitor.
z
Zach Zeid
04/13/2020, 5:29 PMdoes osquery not rely on syscalls? I thought it always used eBPF
s
seph
04/13/2020, 5:33 PM
osquery presents a sql interface to various OS and application APIs. Those conversations have been written by various people. See https://osquery.io/schema/4.2.0/ for the list of information.
seph
04/13/2020, 5:33 PM
There is some work to create more generalized BPF tooling.
z
Zach Zeid
04/13/2020, 5:39 PMI think I understand. My assumption was that osquery did (or at least could be configured) to use eBPF. That doesn't appear to be the case.
s
seph
04/13/2020, 5:46 PM
It’s pretty beta. I can’t really speak to it
z
Zach Zeid
04/13/2020, 5:47 PMGot it. Thank you for taking the time to answer my questions. This was incredibly helpful.
b
burdz
04/13/2020, 10:18 PMWe do not run any k8s specific tables (although have looked at kube-query along with extending/writing our own impl) however we do run osquery all of our clusters as a Daemonsets (with some mounts/perms that gives it more visibility into the node is it monitoring).
s
seph
04/13/2020, 10:34 PM
You may be interested in the upcoming container tables
m
Mike
04/14/2020, 2:45 AM@burdz interesting to know that we can install osquery via Daemonset, can you please share the yaml file for it
s
SK
04/14/2020, 7:15 AM@burdz Also interested to know about your Daemonset implementation, we already have some basic k8s visibility.
b
burdz
04/14/2020, 7:14 PMcertainly! let me clean up the yaml (littered with our helm tpls) and I can share it. I can also talk about some of the ideas we were thinking about for extentions to gain more visibility into our clusters. early days in our journey currently but definitely looking forward expanding our usage of it to monitoring our kube environments
s
seph
04/14/2020, 7:17 PM
https://github.com/osquery/osquery/pull/6209 and associated are the things y’all may be interested in
🦜 1
b
burdz
05/02/2020, 3:54 AMapologizes my family had a close call with the global pandemic and I am just getting back to work now. I will share our configuration soon.
15 Views