KubeArmor's relay server collects all messages, alerts, and system logs generated by KubeArmor in each node, and then it allows other logging systems to simply collect those through the service ('kubearmor.kube-system.svc') of the relay server.
By default, the relay server is deployed with KubeArmor.
KubeArmor emits following types of Telemetry events:
- Alert: When policy is violated
- Log: When a pod executes a syscall or any other action (such as file access, process creation, network socket create/connect/accept etc)
- Message: Internal Kubearmor daemon messages
There are two approaches that one can take to stream the kubearmor events.
- Using kubearmor-relay stdout: This is the easiest way i.e. if the SIEM tool connects to the k8s pod logging interface then all the kubearmor events (across all nodes) are available at the kubearmor-relay stdout. Fluentd/Microsoft Sentinel does support this mode wherein the
stdoutof the pod can be streamed to the SIEM tool. By default the stdout is turned off to not impact performance. To enable it update the environment variable in the deployment yamlENABLE_STDOUT_LOGS,ENABLE_STDOUT_ALERTS,ENABLE_STDOUT_MSGSastrue
example
env:
- name: ENABLE_STDOUT_LOGS
value: "true"
- name: ENABLE_STDOUT_ALERTS
value: "true"
- name: ENABLE_STDOUT_MSGS
value: "true"
- Creating an adapter for the SIEM tool. Kubearmor-relay events could be accessed using its GRPC server (ref code) and then the events could be streamed to the SIEM tool (splunk/elk/MS-sentinel ...). An example adaptor is OpenTemetery-Adapater for KubeArmor, The OpenTelemetry KubeArmor receiver connects to KubeArmor-Relay and converts KubeArmor telemetry data to the OpenTelemetry format which in turn can be configured to connect to SIEM Tools like Splunk,Grafana etc. Here's the tutorial for the same.
Microsoft Sentinel is used as an example in this figure