Minikube not adding add_kubernetes_metadata

vaclav · January 7, 2020, 12:15pm

Hello,
I am trying to run auditbeat on minikube, but kubernetes metadata are not added to events.
Do you please know what should be correct configuration ?

here is my config:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: auditbeat-config
  namespace: kube-system
  labels:
    k8s-app: auditbeat
data:
  auditbeat.yml: |-
    auditbeat.modules:
    - module: auditd
      audit_rules: |
        -w /etc/passwd -p wa -k identity
        -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
        -a always,exit -F arch=b64 -S execve,execveat -k exec


    processors:
      - add_kubernetes_metadata:
         host: ${NODE_NAME}

    output.file:
      path: "/var/auditbeat/logs"
      filename: auditbeat
      rotate_every_kb: 20000
      number_of_files: 2
      permissions: 0644

---
# Deploy a auditbeat instance per node for node metrics retrieval
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
spec:
  selector:
    matchLabels:
      k8s-app: auditbeat
  template:
    metadata:
      labels:
        k8s-app: auditbeat
    spec:
      serviceAccountName: auditbeat
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      hostPID: true
      containers:
      - name: auditbeat
        image: docker.elastic.co/beats/auditbeat:7.5.1
        args: [
          "-c", "/etc/auditbeat.yml",
          "-e",
          "-d", "*",
        ]
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          capabilities:
            add: ["AUDIT_CONTROL", "AUDIT_READ"]
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/auditbeat.yml
          readOnly: true
          subPath: auditbeat.yml
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: auditbeat-config
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: auditbeat
subjects:
- kind: ServiceAccount
  name: auditbeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: auditbeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: auditbeat
  labels:
    k8s-app: auditbeat
rules:
- apiGroups: [""]
  resources:
  - nodes
  - namespaces
  - pods
  - events
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
---

in debug log I can see that add_kubernetes_metadata processor is generated, pods are discovered and than no metadata added

2020-01-07T10:11:02.593Z	INFO	add_kubernetes_metadata/kubernetes.go:68	add_kubernetes_metadata: kubernetes env detected, with version: v1.17.0
2020-01-07T10:11:02.593Z	INFO	kubernetes/util.go:79	kubernetes: Using node minikube provided in the config
2020-01-07T10:11:02.593Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:138	Initializing a new Kubernetes watcher using host: minikube
2020-01-07T10:11:02.696Z	DEBUG	[kubernetes]	kubernetes/watcher.go:241	cache sync done
2020-01-07T10:11:02.697Z	DEBUG	[processors]	processors/processor.go:101	Generated new processors: add_kubernetes_metadata
2020-01-07T10:11:02.703Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/storage-provisioner
2020-01-07T10:11:02.704Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/coredns-6955765f44-2dpv8
2020-01-07T10:11:02.706Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/etcd-minikube
2020-01-07T10:11:02.717Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-addon-manager-minikube
2020-01-07T10:11:02.717Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-controller-manager-minikube
2020-01-07T10:11:02.718Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-scheduler-minikube
2020-01-07T10:11:02.718Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/auditbeat-zflhb


2020-01-07T10:11:34.841Z        DEBUG   [processors]    processing/processors.go:186    Publish event: {
  "@timestamp": "2020-01-07T10:11:34.833Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "7.5.1"
  },
  "service": {
    "type": "auditd"
  },
  "ecs": {
    "version": "1.1.0"
  },
  "host": {
    "name": "auditbeat-zflhb"
  },
  "user": {
    "saved": {
      "id": "0",
      "name": "root",
      "group": {
        "id": "0",
        "name": "root"
      }
    },
    "name": "root",
    "effective": {
      "name": "root",
      "id": "0",
      "group": {
        "id": "0",
        "name": "root"
      }
    },
    "selinux": {
      "user": "kernel"
    },
    "filesystem": {
      "group": {
        "id": "0",
        "name": "root"
      },
      "id": "0",
      "name": "root"
    },
    "id": "0",
    "group": {
      "id": "0",
      "name": "root"
    }
  },
  "tags": [
    "exec"
  ],
  "file": {
    "path": "/usr/bin/cat",
    "gid": "0",
    "device": "00:00",
    "owner": "root",
    "selinux": {
      "user": "unlabeled"
    },
    "group": "root",
    "inode": "5759839",
    "mode": "0755",
    "uid": "0"
  },
  "auditd": {
    "paths": [
      {
        "dev": "00:e4",
        "nametype": "NORMAL",
        "ogid": "0",
        "ouid": "0",
        "rdev": "00:00",
        "cap_fi": "0000000000000000",
        "name": "/usr/bin/cat",
        "cap_fe": "0",
        "mode": "0100755",
        "obj_user": "unlabeled",
        "cap_fver": "0",
        "inode": "5759839",
        "item": "0",
        "cap_fp": "0000000000000000"
      },
      {
        "dev": "00:e4",
        "item": "1",
        "ogid": "0",
        "inode": "5761686",
        "name": "/lib64/ld-linux-x86-64.so.2",
        "nametype": "NORMAL",
        "obj_user": "unlabeled",
        "mode": "0100755",
        "rdev": "00:00",
        "cap_fe": "0",
        "cap_fi": "0000000000000000",
        "cap_fp": "0000000000000000",
        "cap_fver": "0",
        "ouid": "0"
      }
    ],
    "message_type": "syscall",
    "sequence": 180,
    "result": "success",
    "data": {
      "pi": "00000020e80425fb",
      "old_pp": "00000020e80425fb",
      "fe": "0",
      "old_pe": "00000020e80425fb",
      "arch": "x86_64",
      "pe": "00000020e80425fb",
      "syscall": "execve",
      "tty": "pts0",
      "old_pa": "0000000000000000",
      "old_pi": "00000020e80425fb",
      "argc": "2",
      "exit": "0",
      "a3": "0",
      "a1": "c00000dd60",
      "a0": "c00007af10",
      "a2": "c0000e27e0",
      "pp": "00000020e80425fb",
      "pa": "0000000000000000",
      "fi": "0000000000000000",
      "fp": "0000000000000000",
      "fver": "0"
    },
    "summary": {
      "actor": {
        "secondary": "root",
        "primary": "unset"
      },
      "object": {
        "primary": "/usr/bin/cat",
        "type": "file"
      },
      "how": "/usr/bin/cat"
    }
  },
  "agent": {
    "ephemeral_id": "a30166dd-3759-4f24-ad74-7680ded60640",
    "hostname": "auditbeat-zflhb",
    "id": "9113ca40-a989-4bda-99fa-974d37fad1e3",
    "version": "7.5.1",
    "type": "auditbeat"
  },
  "event": {
    "category": "audit-rule",
    "action": "executed",
    "outcome": "success",
    "module": "auditd"
  },
  "process": {
    "name": "cat",
    "executable": "/usr/bin/cat",
    "working_directory": "/usr/share/auditbeat",
    "args": [
      "cat",
      "fffff"
    ],
    "pid": 16629,
    "ppid": 16620,
    "title": "cat fffff"
  }
}

there are only add_cloud_metadata in auditbeat deployment for kubernetes
https://github.com/elastic/beats/blob/master/deploy/kubernetes/auditbeat-kubernetes.yaml

thank you

system · January 28, 2020, 12:15pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat doesn't embed kubernetes metadata in the events Beats auditbeat	2	407	August 23, 2019
Packetbeat does not add kubernetes metadata Beats packetbeat	2	749	September 17, 2020
Filebeat not adding kubernetes metadata Beats docker , filebeat	1	602	February 12, 2019
Kubernetes metadata missing with add_kubernetes_metadata enabled Beats filebeat	7	2789	December 4, 2020
If not a root account, the kubernetes metadata is not generated Beats auditbeat	4	426	October 15, 2020

Minikube not adding add_kubernetes_metadata

Related topics