aquasecurity / kube-query Goto Github PK

View Code? Open in Web Editor NEW

220.0 11.0 16.0 14.81 MB

[EXPERIMENTAL] Extend osquery to report on Kubernetes

License: Apache License 2.0

Go 99.67% Makefile 0.33%

osquery

kube-query's Introduction

kube-query

kube-query is an extension for osquery, letting you visualize your cluster using sql queries.

Deployment

Prerequisites

Go v1.12+

build

$ export GO111MODULE=on 
$ go build kube-query.go

Running kube-query

When running kube-query, you should always pass the -kubeconfig flag, specifying the path to your kubeconfig file.

osqueryi

When using the osqueryi tool you can easily register kube-query by passing the -socket parameter to kube-query on another process. For example:
./kube-query -socket="/path/to/osquery/socket" -kubeconfig="/path/to/kubeconfig.yml"

One way to get the path to the osquery socket is like this:

osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value                             |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+

There are many other options to automatically register extensions.

Example Queries

# query all kube-system pods
SELECT * FROM kubernetes_pods WHERE namespace="kube-system";

# query all containers created by kubernetes
SELECT * FROM kubernetes_containers;

# query all pods that runs with a privileged container   
SELECT * 
 FROM kubernetes_containers 
 JOIN kubernetes_pods 
 ON kubernetes_containers.pod_uid=kubernetes_pods.uid
 WHERE privileged="True";

kube-query's People

Contributors

Stargazers

Watchers

Forkers

hmilkovi muharihar ailenli erickstaal doanhnhq laashub-soa genrocker devopstoday11 tuckerandrew2017 nci-student-pentesters krol3 alexander-rondon bradw456 hecg119

kube-query's Issues

Raising a test issue

@danielsagi do you get this?

specifying verbose flag to osqueryd/osqueryi causes extension to not load

When using osquery 4.3.0 and autoloading kube-query as an extension, passing the --verbose flag to osqueryd/osqueryi causes the extension to not load due to an unrecognized CLI parameter.

When the verbose parameter is removed, everything works fine.

Seems like a simple change to recognize the verbose parameter and not fail when it is passed on by osquery running in verbose mode.

See below for a shell session that demonstrates the error:

bash-4.2# osqueryi --nodisable_extensions --verbose
I0618 18:34:15.327247 17507 init.cpp:343] osquery initialized [version=4.3.0]
I0618 18:34:15.327378 17507 extensions.cpp:434] Found autoloadable extension: /etc/osquery/kube-query.ext
I0618 18:34:15.327440 17507 dispatcher.cpp:77] Adding new service: WatcherRunner (0x3d040e8) to thread: 140596147271424 (0x3c10b10) in process 17507
I0618 18:34:15.327589 17507 dispatcher.cpp:77] Adding new service: ExtensionWatcher (0x3c12e18) to thread: 140596138878720 (0x3c16ee0) in process 17507
I0618 18:34:15.327643 17507 dispatcher.cpp:77] Adding new service: ExtensionRunnerCore (0x3c18bd8) to thread: 140596130486016 (0x3c16b10) in process 17507
I0618 18:34:15.327857 17508 watcher.cpp:629] Created and monitoring extension child (17511): /etc/osquery/kube-query.ext
I0618 18:34:15.327924 17507 auto_constructed_tables.cpp:96] Removing stale ATC entries
I0618 18:34:15.328143 17510 interface.cpp:268] Extension manager service starting: /root/.osquery/shell.em
I0618 18:34:15.328402 17507 options.cpp:100] Verbose logging enabled by config option
I0618 18:34:15.328431 17507 options.cpp:100] Verbose logging enabled by config option
flag provided but not defined: -verbose
Usage of /etc/osquery/kube-query.ext:
-interval string
flag for specifying wait time before registering on autoload
-kubeconfig string
absolute path to the kubeconfig file (can be set by KUBECONFIG environment variable)
-socket string
absolute path to the osquery socket
-timeout string
flag for specifying wait time before registering on autoload
I0618 18:34:15.356397 17507 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0618 18:34:15.356528 17507 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
Using a virtual database. Need help, type '.help'
osquery>

Does this require the binary to be run with sudo?

Looks like a very interesting project. I installed the latest stable version of osquery (4.3.0 as we speak) and when I try to run :

sudo ./kube-query -socket=/Users/xxxxx/.osquery/shell.em -kubeconfig=/Users/xxxxx/.kube/config --timeout=10

I see that the osqueryd logs are stuck at

I0609 21:16:44.540201 97325056 interface.cpp:108] Registering extension (kube-query, 1615, version=, sdk=)

Any idea what might be going wrong there?

Dead?

This project looks a bit dead.

Any reason for this? Are there other ways to get a SQL like interface to the Kubernetes Resource Model?

Please to us in the readme about the state and future of the project.

Add Images tables

finding all the info on images

Add Pod UID as identificator

Volumes table only includes the last iterated volume for a single pod

For a single pod with multiple volumes, currently the volumes table only retrieves the last iterated volume. The relevant code is here: https://github.com/aquasecurity/kube-query/blob/master/tables/volumes.go#L71-L87

		for k, v := range output {
			typ = k
			strRepr, _ := json.Marshal(v)
			source = string(strRepr)
		}

The last typ and source are returned back to the caller. This can be demoed with a simple test that fails today:

func TestVolumesTable_Generate(t *testing.T) {
	tc := testclient.NewSimpleClientset()
	_, _ = tc.CoreV1().Pods("testing-namespace").Create(&v1.Pod{
		TypeMeta: metav1.TypeMeta{},
		ObjectMeta: metav1.ObjectMeta{
			Name: "foo-pod-with-two-volumes",
		},
		Spec: v1.PodSpec{
			Volumes: []v1.Volume{
				{
					Name: "volume-1",
					VolumeSource: v1.VolumeSource{
						HostPath: &v1.HostPathVolumeSource{
							Path: "/foo1/bar/baz",
							Type: nil,
						},
					},
				},
				{
					Name: "volume-2",
					VolumeSource: v1.VolumeSource{
						HostPath: &v1.HostPathVolumeSource{
							Path: "/foo2/bar/baz",
							Type: nil,
						},
					},
				},
			},
		},
		Status: v1.PodStatus{},
	})

	dt := NewVolumesTable(tc)
	genTable, err := dt.Generate(context.TODO(), table.QueryContext{})
	assert.NoError(t, err)
	assert.Equal(t, []map[string]string{
		{
			"from_pod": "foo-pod-with-two-volumes", "name": "volume-1", "source": `{"path":"/foo1/bar/baz"}`, "type": "hostPath",
		},
		{
			"from_pod": "foo-pod-with-two-volumes", "name": "volume-2", "source": `{"path":"/foo2/bar/baz"}`, "type": "hostPath",
		},
	}, genTable)
}

My current idea to improve is the expectation in the above test where I would have a separate row for each pod volume found. So something like:

		{
			"from_pod": "foo-pod-with-two-volumes", "name": "volume-1", "source": `{"path":"/foo1/bar/baz"}`, "type": "hostPath",
		},
		{
			"from_pod": "foo-pod-with-two-volumes", "name": "volume-2", "source": `{"path":"/foo2/bar/baz"}`, "type": "hostPath",
		},

Any thoughts on how we should handle such a scenario?

Unable to load Kubeconfig with OIDC auth

When attempting to run the program, it fails when attempting to build the Kubernetes client due to not supporting the OIDC auth method.

This is relatively straightforward to remediate - here's an example from K8s client-go:

import (
	// Uncomment to load all auth plugins
	_ "k8s.io/client-go/plugin/pkg/client/auth"
	
	// Or uncomment to load specific auth plugins
	// _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
	// _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
	// _ "k8s.io/client-go/plugin/pkg/client/auth/openstack"
)

Improve general logging

Add verbose level logs, if verbose flag was specified
Change logs to be generally more descriptive
Add more logs
Add [kube-query extension] to the start of each log