wazuh-kubernetes
wazuh-kubernetes copied to clipboard
wazuh
DaemonSet container progress
Hi @jesuslinares,
Thank you for the work you've done here; it's great and really helpful.
You mention in the instructions that you are researching if the agent is able to run as a DaemonSet container:
We are researching if the agent is able to run as a DaemonSet container. A DaemonSet is a special type of Pod which is logically guaranteed to run on each Kubernetes node. This kind of agent will have access only to its container, so we should mount volumes used by other containers to monitor logs, files, etc.
Has there been any progress on this? Seems to be a requirement for my team rather than installing the agent on the host. Any help or advice would be appreciated.
Thanks!
Hi @nshenry03 ,
I didn't have the chance to implement and test it, but it should not be complicated.
Usually, we install the Wazuh agent in the Docker host, so it is able to access logs from other containers, run commands, use the Docker wodle, etc. If you install the Wazuh agent in a container (using a DaemonSet), you need to grant access from that pod to the things you want to monitor. So, the real challenge is how to configure or improve the Wazuh agent to be more powerful in container environments. That is the part that we are researching. Any feedback is welcome.
This is a related issue in Wazuh mailing list: https://groups.google.com/forum/#!topic/wazuh/tlFKymhOm_Q.
I hope it helps.
There is any eta to release the daemonset / docker image for testing? I would like to use it :+1:
Hi @jesuslinares and @nshenry03 , I would like to take this forwards. Will you be able to share the knowledge or track that you have decided. I will try to take this forward from there.
@jesuslinares, @Dwordcito Another user asked when the support to monitor/collect info using an agent as a deamonset will be available. Here's the slack link: https://wazuh.slack.com/archives/C0A933R8E/p1606837317137900 and the user question: "I launched a wazuh agent as daemonset in kubernetes. If I understand correctly, then there is no way to collect information about the system’s packages/osts and send reports on OS HOST, right? Is there any plan to make such support in future versions?" Do we have any update on this? Thanks
You can check my example of daemon set for agent https://github.com/pyToshka/docker-wazuh-agent/blob/main/wazuh-daemonset.yaml
hey guys ..!! I have deployed Wazuh DemonSet and it is successfully working ..!! but in my manager alerts, I am getting only events/logs for Start/stop and exec logs ..!! how can I get every bit of log of container for example "installing any package or executing any command in container" here My WazuhDemonSet file
apiVersion: apps/v1 kind: DaemonSet metadata: name: wazuh-daemonset namespace: default labels: k8s-app: wazuh-daemonset spec: selector: matchLabels: name: wazuh-daemonset template: metadata: labels: name: wazuh-daemonset spec: tolerations: # this toleration is to have the daemonset runnable on master nodes # remove it if your masters can't run pods - key: node-role.kubernetes.io/master effect: NoSchedule containers: - name: wazuh-daemonset image: <my-Custom-Image> resources: limits: memory: 200Mi requests: cpu: 100m memory: 200Mi volumeMounts: - name: docker mountPath: /var/run/docker.sock - name: varlibdockercontainers mountPath: /var/lib/docker/containers - mountPath: /var/run name: var-run - mountPath: /host/dev name: dev - mountPath: /host/sys name: sys readOnly: true - mountPath: /host/proc name: proc readOnly: true - mountPath: /host/etc name: etc readOnly: true - mountPath: /host/boot name: boot readOnly: true - mountPath: /host/usr name: usr readOnly: true - mountPath: /host/lib/modules name: modules readOnly: true - mountPath: /host/var/log name: log readOnly: true terminationGracePeriodSeconds: 5 volumes: - name: varlibdockercontainers hostPath: path: /var/lib/docker/containers - name: docker hostPath: path: /var/run/docker.sock - name: var-run hostPath: path: /var/run - name: dev hostPath: path: /dev - name: sys hostPath: path: /sys - name: proc hostPath: path: /proc - name: etc hostPath: path: /etc - name: boot hostPath: path: /boot - name: usr hostPath: path: /usr - name: modules hostPath: path: /lib/modules - name: log hostPath: path: /var/log
Hi all, just want to share my version of wazuh agent as daemonset, which need to share host network, ipc, pid, and chrooted to the mounted root of host so that all the default rules reference the actual host file (not the container file) with minimum changes to the host dir (create wazuh user if not exist and modify /var/ossec dir). https://github.com/TelkomIndonesia/wazuh-agent-docker/blob/master/wazuh-daemonset.yaml. Any feedbacks are welcome.
