Skip to content

Latest commit

 

History

History
22 lines (14 loc) · 1.67 KB

README.md

File metadata and controls

22 lines (14 loc) · 1.67 KB

KubeArmor Relay Server

KubeArmor's relay server collects all messages, alerts, and system logs generated by KubeArmor in each node, and then it allows other logging systems to simply collect those through the service ('kubearmor.kube-system.svc') of the relay server.

By default, the relay server is deployed with KubeArmor.

Kubearmor Relay Server HLD

Streaming Kubearmor events to external SIEM tools

KubeArmor emits following types of events:

  1. Alert: When policy is violated
  2. Log: When a pod executes a syscall or any other action (such as file access, process creation, network socket create/connect/accept etc)
  3. Message: Internal Kubearmor daemon messages

There are two approaches that one can take to stream the kubearmor events.

  1. Using kubearmor-relay stdout: This is the easiest way i.e. if the SIEM tool connects to the k8s pod logging interface then all the kubearmor events (across all nodes) are available at the kubearmor-relay stdout. Fluentd/Microsoft Sentinel does support this mode wherein the stdout of the pod can be streamed to the SIEM tool.
  2. Creating an adapter for the SIEM tool. Kubearmor-relay events could be accessed using its GRPC server (ref code) and then the events could be streamed to the SIEM tool (splunk/elk/MS-sentinel ...).

Microsoft Sentinel is used as an example in this figure