tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[FEAT] Improve container enrichment integration with k8s

Open NDStrahilevitz opened this issue 3 years ago • 0 comments

Prerequisites

  • [ ] This issue is an EPIC issue (add label: EPIC).
  • [ ] This issue is an EPIC TASK (add issue to EPIC description).

Select one OR another:

  • [x] I'll create a PR to implement this feature (assign to yourself).
  • [ ] Someone else should implement this (describe it well).

Feature description

Container enrichment currently works by either "mounting" the correct sockets through the cli (--cri <runtime_name>:/path/to/sock) or by letting tracee auto discover runtime sockets through a hard coded list. However this hardcoded list is non satisfactory for some non standard k8s envs (for example microk8s, k3s, etc.). In addition, non standard k8s envs sometimes use "custom" paths for their cgroups, which cause tracee to not detect the runtime version.

I think the best solution for this would be a k8s flavor declaration, which we could use to improve the autodiscover, which could also inform additional search paths for container runtimes in container_derive event.

Additional Information (feature drawings, files, logs, etc)

So this could either be done through a cli flag (probably something like --k8s), a config file when we have that, and probably autodiscovered from the host environment in the future.

NDStrahilevitz avatar Jun 26 '22 10:06 NDStrahilevitz