Hi Team, Is there a way we can make use of osquery in a kubernetes environment which runs as a container? As I see, even if we run it as a container, the scope of query will be limited to the pod it is running. Is there a way we can avoid this, are there any guidelines or documentation for containerising the osquery?
07/05/2022, 1:23 PM
It’s been awhile since I’ve made heavy use of k8s, but IIRC there should be a way to grant a pod higher permissions?
07/05/2022, 4:25 PM
I'm not sure exactly what the permissions in K8s would relate to, but the issue I see is that it works as intended, in the sense that the container (and the namespaces it uses) is normally meant to section/limit the view of the process within.
Like, a Docker container has it's own root filesystem hierarchy which is rooted somewhere in the host, and the process running in the container will only see that.
osquery would need to run at a higher level (on the host), or a parent namespace.
But I'm not sure how this would translate with K8s.
Anoop K V
07/06/2022, 6:41 AM
Thanks for all the responses. If the entire solution is getting containerised, privileges just alone might not help here. Even the different virtual tables needs to be populated from different other pods. For example the OS version, it needs grab from a different pod than the node/host its is running. Can Osquery help in this kind of scenario?