New component: kubearmor_receiver #22977
Comments
atoulme
added
Sponsor Needed
|
Please clarify if this is a vendor-specific component, as it appears this relates to an open source project. |
|
Yes it is an open source project. I was thinking it qualifies as vendor spscific because it is unique to the project. Thanks for the review. |
|
I can understand the confusion. We don't do a good job explaining what vendor-specific means here. @jpkrohling what is your read on this? |
|
Adding |
|
Okay thank you. |
|
Just to make clear: the strong recommendation from today's SIG meeting was to revise KubeArmor's logger to allow it to send OTLP logs. If this is done, no new receiver would be necessary. |
|
If I understand currently that means instrumenting kubearmor's system to emit otlp logs |
|
Even If I wanted to do that. I would not be able to do that because the golang API and SDK for otel has logs in frozen development |
|
Yup, that makes sense. I think the next best option would be to write a configuration for the collector's filelogreceiver to read and parse the logs from kubearmor. Here's a "basic" JSON example, and there are many examples of parsing many different formats here. |
|
Thank you so much. I considered doing that but I think there is nothing wrong with fetching the logs directly from the relay server and leveraging the kubearmor receiver to convert to otel format without the overhead of managing file rotation and disk usage. |
|
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping |
|
This issue has been closed as inactive because it has been stale for 120 days with no activity. |
The purpose and use-cases of the new component
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. It is a CNCF sandbox project.
KubeArmor emits host visibility logs, policy violation alerts and its own application logs geared towards enabling operators to gain more insight into the security posture of their workloads.
This receiver is created as an adapter to make the logs emitted by the kubearmor vendor agnostic for use with backends such as Splunk, grafana, etc.
Link to Grafana dashboard created with receiver:
https://photos.onedrive.com/share/1C7FEA1D6F553A7!2110?cid=1C7FEA1D6F553A7&authkey=!AFBYfP76wrtpzBk&ithint=video&e=cmty14
Log Specification
The lines highlighted show the specification of the logs fetched from kubearmor and collected by the receiver:
Policy violation alerts
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L35-L76
Host visibility logs:
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L79-L111
Kubearmor application logs:
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L13-L25
Design of receiver:
Kubearmor client fetches logs from kubearmor relay server the receiver converts logs to the opentelemetry format.
Example configuration for the component
endpoint= This is the endpoint of the kubearmor relay serverlogfilter= Filter for logs i.e. policy, all, system, kubearmorlogs. It is used to filter the type of kubearmor logs to fetch from the client.Telemetry data types supported
logs
Is this a vendor-specific component?
Sponsor (optional)
No response
Additional context
Link to issue:
kubearmor/KubeArmor#894
The text was updated successfully, but these errors were encountered: