Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New component: kubearmor_receiver #22977

Closed
2 tasks
Chinwendu20 opened this issue May 31, 2023 · 12 comments
Closed
2 tasks

New component: kubearmor_receiver #22977

Chinwendu20 opened this issue May 31, 2023 · 12 comments
Labels
closed as inactive discussion needed Community discussion needed Sponsor Needed New component seeking sponsor Stale

Comments

@Chinwendu20
Copy link
Contributor

Chinwendu20 commented May 31, 2023

The purpose and use-cases of the new component

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. It is a CNCF sandbox project.

KubeArmor emits host visibility logs, policy violation alerts and its own application logs geared towards enabling operators to gain more insight into the security posture of their workloads.

This receiver is created as an adapter to make the logs emitted by the kubearmor vendor agnostic for use with backends such as Splunk, grafana, etc.

Link to Grafana dashboard created with receiver:
https://photos.onedrive.com/share/1C7FEA1D6F553A7!2110?cid=1C7FEA1D6F553A7&authkey=!AFBYfP76wrtpzBk&ithint=video&e=cmty14

Log Specification

The lines highlighted show the specification of the logs fetched from kubearmor and collected by the receiver:

Policy violation alerts
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L35-L76

Host visibility logs:
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L79-L111

Kubearmor application logs:
https://github.com/kubearmor/KubeArmor/blob/aefa27d827f88560cfbecf719a2734895c5443eb/protobuf/kubearmor.proto#L13-L25

Design of receiver:
image

Kubearmor client fetches logs from kubearmor relay server the receiver converts logs to the opentelemetry format.

Example configuration for the component

kubearmor_receiver:
  endpoint: :32767
  logfilter: policy

endpoint = This is the endpoint of the kubearmor relay server
logfilter = Filter for logs i.e. policy, all, system, kubearmorlogs. It is used to filter the type of kubearmor logs to fetch from the client.

Telemetry data types supported

logs

Is this a vendor-specific component?

  • This is a vendor-specific component
  • If this is a vendor-specific component, I am proposing to contribute this as a representative of the vendor.

Sponsor (optional)

No response

Additional context

Link to issue:
kubearmor/KubeArmor#894

@Chinwendu20 Chinwendu20 added the needs triage New item requiring triage label May 31, 2023
@atoulme atoulme added Sponsor Needed New component seeking sponsor and removed needs triage New item requiring triage labels Jun 1, 2023
@atoulme
Copy link
Contributor

atoulme commented Jun 1, 2023

Please clarify if this is a vendor-specific component, as it appears this relates to an open source project.

@Chinwendu20
Copy link
Contributor Author

Chinwendu20 commented Jun 1, 2023

Yes it is an open source project. I was thinking it qualifies as vendor spscific because it is unique to the project. Thanks for the review.

@atoulme
Copy link
Contributor

atoulme commented Jun 1, 2023

I can understand the confusion. We don't do a good job explaining what vendor-specific means here. @jpkrohling what is your read on this?

@atoulme atoulme added the discussion needed Community discussion needed label Jun 2, 2023
@atoulme
Copy link
Contributor

atoulme commented Jun 2, 2023

Adding discussion needed, this needs escalation to the next SIG meeting to clarify.

@Chinwendu20
Copy link
Contributor Author

Chinwendu20 commented Jun 2, 2023

Okay thank you.

@kentquirk
Copy link
Member

Just to make clear: the strong recommendation from today's SIG meeting was to revise KubeArmor's logger to allow it to send OTLP logs. If this is done, no new receiver would be necessary.

@Chinwendu20
Copy link
Contributor Author

If I understand currently that means instrumenting kubearmor's system to emit otlp logs

@Chinwendu20
Copy link
Contributor Author

Chinwendu20 commented Jun 7, 2023

Even If I wanted to do that. I would not be able to do that because the golang API and SDK for otel has logs in frozen development
https://github.com/open-telemetry/opentelemetry-go

@kentquirk
Copy link
Member

Yup, that makes sense. I think the next best option would be to write a configuration for the collector's filelogreceiver to read and parse the logs from kubearmor. Here's a "basic" JSON example, and there are many examples of parsing many different formats here.

@Chinwendu20
Copy link
Contributor Author

Thank you so much. I considered doing that but I think there is nothing wrong with fetching the logs directly from the relay server and leveraging the kubearmor receiver to convert to otel format without the overhead of managing file rotation and disk usage.

@github-actions
Copy link
Contributor

github-actions bot commented Aug 8, 2023

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 7, 2023

This issue has been closed as inactive because it has been stale for 120 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
closed as inactive discussion needed Community discussion needed Sponsor Needed New component seeking sponsor Stale
Projects
None yet
Development

No branches or pull requests

3 participants