Coder Social home page Coder Social logo

slashben / kapprofiler Goto Github PK

View Code? Open in Web Editor NEW

This project forked from kubescape/kapprofiler

0.0 0.0 0.0 303 KB

Generate an application profile containing metrics/properties for Kubernetes workloads based on runtime behavior.

License: Apache License 2.0

Shell 0.40% Go 98.68% Makefile 0.72% Dockerfile 0.19%

kapprofiler's Introduction

Kubescape Application profiler

Intro

This is a lab project made by the Kubescape team whose goal is to generate an application profile containing metrics/properties for Kubernetes workloads based on runtime behavior.

There are multiple metrics and properties of an application that are not available in Kubernetes API and or other standard data sources, for example, the executables that run in a container, or the TCP connection that it does. To access these kinds of information the operator needs to have observability tooling in place.

This Application profiler uses Inspektor Gadget to collect information about running workloads in Kubernetes and compile them into a Kubernetes custom resource.

Use cases

This information can help Kubescape (or other tooling) to:

  • Verify the workload configuration (for example: determine if a workload needs to be privileged)
  • Build hardening based on workload behavior (security context, network policies, seccomp and etc)

Based on Kubernetes API, it enables to GitOps and easy transition of this information in the ecosystem.

Data collected

  • Execve events: the process starts with arguments
  • File access: list of files that were opened in the container (and their access mode)
  • Network connections: incoming and outgoing connection events
  • DNS: DNS requests and responses by the container - Right now limited because of this issue
  • Syscalls: system calls the application uses
  • Linux capabilities requested by the containerized processes

Example of an application profile

apiVersion: kubescape.io/v1
kind: ApplicationProfile
metadata:
  creationTimestamp: "2023-09-10T06:42:24Z"
  generation: 2
  name: deployment-frontend
  namespace: hipster
  resourceVersion: "142668"
  uid: 8419da2a-0584-4be6-9a37-0efd0f2c7b97
spec:
  containers:
  - capabilities:
    - caps:
      - NET_ADMIN
      syscall: read
    - caps:
      - NET_ADMIN
      syscall: openat
    dns:
    - dnsName: metadata.google.internal.
    - dnsName: adservice.hipster.svc.cluster.local.
    - dnsName: cartservice.hipster.svc.cluster.local.
    - dnsName: checkoutservice.hipster.svc.cluster.local.
    - dnsName: currencyservice.hipster.svc.cluster.local.
    - dnsName: shippingservice.hipster.svc.cluster.local.
    - dnsName: productcatalogservice.hipster.svc.cluster.local.
    - dnsName: recommendationservice.hipster.svc.cluster.local.
    execs:
    - path: /src/server
    name: server
    networkActivity:
      incoming:
      - dstEndpoint: 10.244.0.1
        port: 8080
        protocol: tcp
      - dstEndpoint: 10.244.0.109
        port: 8080
        protocol: tcp
      outgoing:
      - dstEndpoint: 169.254.169.254
        port: 80
        protocol: tcp
      - dstEndpoint: 10.97.13.57
        port: 3550
        protocol: tcp
      - dstEndpoint: 10.96.112.73
        port: 5050
        protocol: tcp
      - dstEndpoint: 10.97.138.113
        port: 7000
        protocol: tcp
      - dstEndpoint: 10.102.37.192
        port: 7070
        protocol: tcp
      - dstEndpoint: 10.108.166.241
        port: 8080
        protocol: tcp
      - dstEndpoint: 10.108.135.173
        port: 9555
        protocol: tcp
      - dstEndpoint: 10.103.31.34
        port: 50051
        protocol: tcp
      - dstEndpoint: 10.96.0.10
        port: 53
        protocol: udp
    opens:
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /etc/hosts
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/server
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /etc/resolv.conf
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /etc/nsswitch.conf
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/ad.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/cart.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/home.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/error.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/order.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/footer.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/header.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/product.html
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /proc/sys/net/core/somaxconn
    - flags:
      - O_RDONLY
      - O_CLOEXEC
      path: /src/templates/recommendations.html
    - flags:
      - O_RDONLY
      path: /sys/kernel/mm/transparent_hugepage/hpage_pmd_size
    syscalls:
    - accept4
    - arch_prctl
    - bind
    - brk
    - capget
    - capset
    - chdir
    - clone
    - close
    - connect
    - epoll_create1
    - epoll_ctl
    - epoll_pwait
    - execve
    - faccessat2
    - fchown
    - fcntl
    - fstat
    - fstatfs
    - futex
    - getdents64
    - getpeername
    - getpid
    - getppid
    - getrandom
    - getrlimit
    - getsockname
    - getsockopt
    - gettid
    - listen
    - madvise
    - membarrier
    - mmap
    - mprotect
    - nanosleep
    - newfstatat
    - openat
    - pipe2
    - prctl
    - pread64
    - read
    - readlinkat
    - rt_sigaction
    - rt_sigprocmask
    - rt_sigreturn
    - sched_getaffinity
    - sched_yield
    - set_tid_address
    - setgid
    - setgroups
    - setsockopt
    - setuid
    - sigaltstack
    - socket
    - tgkill
    - uname
    - write

Install

Simple installation:

kubectl apply -f https://raw.githubusercontent.com/kubescape/kapprofiler/main/etc/app-profile.crd.yaml
kubectl apply -f https://raw.githubusercontent.com/kubescape/kapprofiler/main/deployment/deployment.yaml

Voila ๐Ÿ˜‰

Usage

The profile starts recording events every time a container starts and updates profiles evert 2 minutes.

To see your application profiles run

kubectl get applicationprofiles.kubescape.io -A

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.