Minikube not adding add_kubernetes_metadata

Hello,
I am trying to run auditbeat on minikube, but kubernetes metadata are not added to events.
Do you please know what should be correct configuration ?

here is my config:

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: auditbeat-config
  namespace: kube-system
  labels:
    k8s-app: auditbeat
data:
  auditbeat.yml: |-
    auditbeat.modules:
    - module: auditd
      audit_rules: |
        -w /etc/passwd -p wa -k identity
        -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
        -a always,exit -F arch=b64 -S execve,execveat -k exec


    processors:
      - add_kubernetes_metadata:
         host: ${NODE_NAME}

    output.file:
      path: "/var/auditbeat/logs"
      filename: auditbeat
      rotate_every_kb: 20000
      number_of_files: 2
      permissions: 0644

---
# Deploy a auditbeat instance per node for node metrics retrieval
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
spec:
  selector:
    matchLabels:
      k8s-app: auditbeat
  template:
    metadata:
      labels:
        k8s-app: auditbeat
    spec:
      serviceAccountName: auditbeat
      terminationGracePeriodSeconds: 30
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      hostPID: true
      containers:
      - name: auditbeat
        image: docker.elastic.co/beats/auditbeat:7.5.1
        args: [
          "-c", "/etc/auditbeat.yml",
          "-e",
          "-d", "*",
        ]
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          runAsUser: 0
          capabilities:
            add: ["AUDIT_CONTROL", "AUDIT_READ"]
        resources:
          limits:
            memory: 200Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/auditbeat.yml
          readOnly: true
          subPath: auditbeat.yml
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: auditbeat-config
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: auditbeat
subjects:
- kind: ServiceAccount
  name: auditbeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: auditbeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: auditbeat
  labels:
    k8s-app: auditbeat
rules:
- apiGroups: [""]
  resources:
  - nodes
  - namespaces
  - pods
  - events
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: auditbeat
  namespace: kube-system
  labels:
    k8s-app: auditbeat
---

in debug log I can see that add_kubernetes_metadata processor is generated, pods are discovered and than no metadata added

2020-01-07T10:11:02.593Z	INFO	add_kubernetes_metadata/kubernetes.go:68	add_kubernetes_metadata: kubernetes env detected, with version: v1.17.0
2020-01-07T10:11:02.593Z	INFO	kubernetes/util.go:79	kubernetes: Using node minikube provided in the config
2020-01-07T10:11:02.593Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:138	Initializing a new Kubernetes watcher using host: minikube
2020-01-07T10:11:02.696Z	DEBUG	[kubernetes]	kubernetes/watcher.go:241	cache sync done
2020-01-07T10:11:02.697Z	DEBUG	[processors]	processors/processor.go:101	Generated new processors: add_kubernetes_metadata
2020-01-07T10:11:02.703Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/storage-provisioner
2020-01-07T10:11:02.704Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/coredns-6955765f44-2dpv8
2020-01-07T10:11:02.706Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/etcd-minikube
2020-01-07T10:11:02.717Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-addon-manager-minikube
2020-01-07T10:11:02.717Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-controller-manager-minikube
2020-01-07T10:11:02.718Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/kube-scheduler-minikube
2020-01-07T10:11:02.718Z	DEBUG	[kubernetes]	add_kubernetes_metadata/kubernetes.go:156	add_kubernetes_metadata: adding pod: kube-system/auditbeat-zflhb


2020-01-07T10:11:34.841Z        DEBUG   [processors]    processing/processors.go:186    Publish event: {
  "@timestamp": "2020-01-07T10:11:34.833Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "7.5.1"
  },
  "service": {
    "type": "auditd"
  },
  "ecs": {
    "version": "1.1.0"
  },
  "host": {
    "name": "auditbeat-zflhb"
  },
  "user": {
    "saved": {
      "id": "0",
      "name": "root",
      "group": {
        "id": "0",
        "name": "root"
      }
    },
    "name": "root",
    "effective": {
      "name": "root",
      "id": "0",
      "group": {
        "id": "0",
        "name": "root"
      }
    },
    "selinux": {
      "user": "kernel"
    },
    "filesystem": {
      "group": {
        "id": "0",
        "name": "root"
      },
      "id": "0",
      "name": "root"
    },
    "id": "0",
    "group": {
      "id": "0",
      "name": "root"
    }
  },
  "tags": [
    "exec"
  ],
  "file": {
    "path": "/usr/bin/cat",
    "gid": "0",
    "device": "00:00",
    "owner": "root",
    "selinux": {
      "user": "unlabeled"
    },
    "group": "root",
    "inode": "5759839",
    "mode": "0755",
    "uid": "0"
  },
  "auditd": {
    "paths": [
      {
        "dev": "00:e4",
        "nametype": "NORMAL",
        "ogid": "0",
        "ouid": "0",
        "rdev": "00:00",
        "cap_fi": "0000000000000000",
        "name": "/usr/bin/cat",
        "cap_fe": "0",
        "mode": "0100755",
        "obj_user": "unlabeled",
        "cap_fver": "0",
        "inode": "5759839",
        "item": "0",
        "cap_fp": "0000000000000000"
      },
      {
        "dev": "00:e4",
        "item": "1",
        "ogid": "0",
        "inode": "5761686",
        "name": "/lib64/ld-linux-x86-64.so.2",
        "nametype": "NORMAL",
        "obj_user": "unlabeled",
        "mode": "0100755",
        "rdev": "00:00",
        "cap_fe": "0",
        "cap_fi": "0000000000000000",
        "cap_fp": "0000000000000000",
        "cap_fver": "0",
        "ouid": "0"
      }
    ],
    "message_type": "syscall",
    "sequence": 180,
    "result": "success",
    "data": {
      "pi": "00000020e80425fb",
      "old_pp": "00000020e80425fb",
      "fe": "0",
      "old_pe": "00000020e80425fb",
      "arch": "x86_64",
      "pe": "00000020e80425fb",
      "syscall": "execve",
      "tty": "pts0",
      "old_pa": "0000000000000000",
      "old_pi": "00000020e80425fb",
      "argc": "2",
      "exit": "0",
      "a3": "0",
      "a1": "c00000dd60",
      "a0": "c00007af10",
      "a2": "c0000e27e0",
      "pp": "00000020e80425fb",
      "pa": "0000000000000000",
      "fi": "0000000000000000",
      "fp": "0000000000000000",
      "fver": "0"
    },
    "summary": {
      "actor": {
        "secondary": "root",
        "primary": "unset"
      },
      "object": {
        "primary": "/usr/bin/cat",
        "type": "file"
      },
      "how": "/usr/bin/cat"
    }
  },
  "agent": {
    "ephemeral_id": "a30166dd-3759-4f24-ad74-7680ded60640",
    "hostname": "auditbeat-zflhb",
    "id": "9113ca40-a989-4bda-99fa-974d37fad1e3",
    "version": "7.5.1",
    "type": "auditbeat"
  },
  "event": {
    "category": "audit-rule",
    "action": "executed",
    "outcome": "success",
    "module": "auditd"
  },
  "process": {
    "name": "cat",
    "executable": "/usr/bin/cat",
    "working_directory": "/usr/share/auditbeat",
    "args": [
      "cat",
      "fffff"
    ],
    "pid": 16629,
    "ppid": 16620,
    "title": "cat fffff"
  }
}

there are only add_cloud_metadata in auditbeat deployment for kubernetes
https://github.com/elastic/beats/blob/master/deploy/kubernetes/auditbeat-kubernetes.yaml

thank you

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.