I've been testing kubequery to see if I can query it from fleetdm and I'm not sure if I'm on the right track. I'm using https://github.com/Uptycs/kubequery with a modified configmap with cert and secret and whatnot. Seems like something is happening because the cluster shows up in fleetdm as kind of a 'ghost host' with no information. The problem might be osquery on the pod, but I'm not sure. I can shell into the pod and get an osqueryi terminal but from there it can't seem to load the extension so it just has the osquery tables. Sorry if this isn't specific to fleetdm but figured anyone who could help steer me in the right direction with kubequery\fleetdm would probably be here.

I was able to successfully get kubequery connected a few weeks ago when it was announced, but it did seem to have some reliability issues with the extension connection (https://github.com/Uptycs/kubequery/issues/11). The hosts are probably ending up with empty details because they've removed all of the osquery tables in "basequery" (https://github.com/Uptycs/kubequery/commit/3f327e5b40bff5f8c737a5c936369112ca7505c4) and that's what Fleet uses to populate the host details. Maybe some results can be added for system_info and osquery_info tables? cc @Seshu

We had a lot of trouble with Uptycs' kubequery, but were ultimately successful with Aqua's kube-query https://blog.aquasec.com/kube-query-osquery-kubernetes-clusters

Interesting. I did not know that Aqua had a kubequery!

Correct @zwass. I switched kubequery to use basequery. Basequery does not have most of Osquery related tables which are not relevant in the context of kubernetes cluster deployment set. During enroll kubequery sends

osquery_info

and

kubernetes_info

. If back-end expects other information, it might not work. Regarding extension timeout, I increased timeouts. Not sure if that resolved your issue or not, but I could not reproduce it locally with identical setup. If it is still happening with latest version, please ping me. Yes, aqua has a Kube-Query but seems incomplete and not maintained. But if it works for you 👍 Will be happy to look at any issues you have with kubequery. Feel free to open issues here: https://github.com/Uptycs/kubequery/issues

During enroll kubequery sends osquery_info and kubernetes_info

That would explain why those entries have an osquery version. The rest of the columns would usually be populated from os_version and system_info tables. We can have a look at supporting grabbing info from that kubernetes_info table.