Auditbeat 8.11 throughs error when installed as k8 daemonset with cgroup v2 .
DEBUG [gosigar_cid_provider] add_process_metadata/gosigar_cid_provider.go:63 failed to get cgroups for pid=1395: failed to read cgroups for pid=1395: error fetching cgroupV2 controllers.
It works only when `priveledged : true` is set . we have tried several other options such as running as root but still no go . Does auditbeat need to run in privileged mode to get container id information ?
securityContext:
runAsUser: 0
# If using Red Hat OpenShift uncomment this:
#privileged: true
capabilities:
add:
# Capabilities needed for auditd module
# - 'AUDIT_READ'
# - 'AUDIT_WRITE'
# - 'AUDIT_CONTROL'
- 'ALL'
Please find the process config
- add_process_metadata:
match_pids: ['process.pid']
include_fields: ['container.id']
# cgroup_regex: '^.+cri-containerd.([0-9a-f]{64}).*'
# cgroup_cache_expire_time: "0"
- add_kubernetes_metadata:
host: ${NODE_NAME}
default_indexers.enabled: false
default_matchers.enabled: false
indexers:
- container:
# - pod_name:
matchers:
- fields.lookup_fields: ['container.id']
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.