If not a root account, the kubernetes metadata is not generated

I am trying to run auditbeat on kubernetes cluster
But kubernetes metadata are not added to events when I run application with not a root account

Below is a debug messages

2020-09-16T04:59:16.435Z DEBUG [add_process_metadata] add_process_metadata/add_process_metadata.go:195 failed to get process metadata for PID=11776: readlink /proc/11776/exe: permission denied {"instance_id": 1}

2020-09-16T04:59:16.435Z DEBUG [processors] processing/processors.go:112 Fail to apply processor global{add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], add_process_metadata=[match_pids=[system.process.pid process.ppid process.parent.pid process.parent.ppid], mappings={"container.id":"container.id"}, ignore_missing=false, overwrite_fields=true, restricted_fields=true, host_path=/, cgroup_prefixes=[/kubepods /docker]], add_kubernetes_metadata}: process not found

It seems that the approach to the /proc/* path is only possible root account.
Is there any way to check k8s metadata with an account other than the root?


You need to dive deeper into cgroups, namespaces and general system permissions. It's not an issue with Beats.

1 Like

Yes, thank you for your reply.

There is no access to the /proc/* path through the non-root account
so non-root account don't use the add_process_metadata function.

Is there any way to solve this?

As I said this is not an issue with Beats, it's just system configuration. Please reach out to your cluster administrator.

1 Like