kubernetes - 在minikube上运行sysdig

Question

我试图在我的本地kubernetes集群上运行sysdig，该集群使用minikube和kvm2作为vm-driver运行。我是sysdig的新手，希望找到由pod运行的系统调用。

我运行的命令是:
sudo sysdig k8s.ns.name=default or k8s.pod.name=algorithm
Pod正在运行(我检查过)，但是没有系统调用失败。

我用kubectl describe命令检查了命名空间是否正确；是的。所以我不确定这出了什么问题。 sysdig可能找不到任何东西，因为minikube正在使用上述VM。如果是这样，我不确定如何在其中运行sysdig。

提前致谢

Answer 1

如果您正确设置了Sysdig，Kubernetes Audit Logging应该可以工作。

Sysdig Secure allows users to create Falco security rules based on a stream of Kubernetes audit events, integrating Kubernetes audit logging with the Sysdig Agent. This allows users to track changes made to the cluster, including:

• Creation and destruction of pods, services, deployments, daemonsets, etc.
• Creating/updating/removing config maps or secrets
• Attempts to subscribe to changes to any endpoint

Docs指出 Sysdig使用默认的Virtualbox驱动程序从0.33.1起支持Minikube。

要在Minikube中启用审核日志记录，您需要:

1. Clone / download the repository: https://github.com/draios/sysdig-cloud-scripts.

   The repository contains the following relevant files:

   • k8s_audit_config/audit-policy.yaml

     For more information on configuring the audit events passed to the agent, refer to the Kubernetes documentation.

   • k8s_audit_config/[webhook-config.yaml.in](http://webhook-config.yaml.in/)

   • k8s_audit_config/enable-k8s-audit.sh

2. Run the following command in the sysdig-cloud-scripts/k8s_audit_config directory to enter the necessary values to the [webhook-config.yaml.in](http://webhook-config.yaml.in/) file:

   AGENT_SERVICE_CLUSTERIP=$(kubectl get service sysdig-agent -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml

3. Run the enable-k8s.sh script to enable audit log support on the apiserver:

   bash ./enable-k8s-audit.sh minikube