If not a root account, the kubernetes metadata is not generated

kyungseok · September 16, 2020, 8:08am

Hello,
I am trying to run auditbeat on kubernetes cluster
But kubernetes metadata are not added to events when I run application with not a root account

Below is a debug messages

2020-09-16T04:59:16.435Z DEBUG [add_process_metadata] add_process_metadata/add_process_metadata.go:195 failed to get process metadata for PID=11776: readlink /proc/11776/exe: permission denied {"instance_id": 1}

2020-09-16T04:59:16.435Z DEBUG [processors] processing/processors.go:112 Fail to apply processor global{add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], add_process_metadata=[match_pids=[system.process.pid process.ppid process.parent.pid process.parent.ppid], mappings={"container.id":"container.id"}, ignore_missing=false, overwrite_fields=true, restricted_fields=true, host_path=/, cgroup_prefixes=[/kubepods /docker]], add_kubernetes_metadata}: process not found

It seems that the approach to the /proc/* path is only possible root account.
Is there any way to check k8s metadata with an account other than the root?

Thanks

mtojek · September 16, 2020, 10:04am

You need to dive deeper into cgroups, namespaces and general system permissions. It's not an issue with Beats.

kyungseok · September 17, 2020, 5:29am

Yes, thank you for your reply.

There is no access to the /proc/* path through the non-root account
so non-root account don't use the add_process_metadata function.

Is there any way to solve this?

mtojek · September 17, 2020, 7:38am

As I said this is not an issue with Beats, it's just system configuration. Please reach out to your cluster administrator.

system · October 15, 2020, 9:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.