search

wazuh / wazuh-kubernetes

Wazuh - Wazuh Kubernetes
https://wazuh.com/
GNU General Public License v2.0
269 stars 168 forks source link

DaemonSet container progress #35

Open nshenry03 opened 5 years ago

nshenry03 commented 5 years ago

Hi @jesuslinares,

Thank you for the work you've done here; it's great and really helpful.

You mention in the instructions that you are researching if the agent is able to run as a DaemonSet container:

We are researching if the agent is able to run as a DaemonSet container. A DaemonSet is a special type of Pod which is logically guaranteed to run on each Kubernetes node. This kind of agent will have access only to its container, so we should mount volumes used by other containers to monitor logs, files, etc.

Has there been any progress on this? Seems to be a requirement for my team rather than installing the agent on the host. Any help or advice would be appreciated.

Thanks!

jesuslinares commented 5 years ago

Hi @nshenry03 ,

I didn't have the chance to implement and test it, but it should not be complicated.

Usually, we install the Wazuh agent in the Docker host, so it is able to access logs from other containers, run commands, use the Docker wodle, etc. If you install the Wazuh agent in a container (using a DaemonSet), you need to grant access from that pod to the things you want to monitor. So, the real challenge is how to configure or improve the Wazuh agent to be more powerful in container environments. That is the part that we are researching. Any feedback is welcome.

This is a related issue in Wazuh mailing list: https://groups.google.com/forum/#!topic/wazuh/tlFKymhOm_Q.

I hope it helps.

lshahar commented 5 years ago

There is any eta to release the daemonset / docker image for testing? I would like to use it :+1:

chowmean commented 4 years ago

Hi @jesuslinares and @nshenry03 , I would like to take this forwards. Will you be able to share the knowledge or track that you have decided. I will try to take this forward from there.

konangc87 commented 3 years ago

@jesuslinares, @Dwordcito Another user asked when the support to monitor/collect info using an agent as a deamonset will be available. Here's the slack link: https://wazuh.slack.com/archives/C0A933R8E/p1606837317137900 and the user question: "I launched a wazuh agent as daemonset in kubernetes. If I understand correctly, then there is no way to collect information about the system’s packages/osts and send reports on OS HOST, right? Is there any plan to make such support in future versions?" Do we have any update on this? Thanks

pyToshka commented 3 years ago

You can check my example of daemon set for agent https://github.com/pyToshka/docker-wazuh-agent/blob/main/wazuh-daemonset.yaml

cakhanif commented 3 years ago

Hi @pyToshka , is this work?

pyToshka commented 3 years ago

@cakhanif yes it is

Umair841 commented 3 years ago

hey guys ..!! I have deployed Wazuh DemonSet and it is successfully working ..!! but in my manager alerts, I am getting only events/logs for Start/stop and exec logs ..!! how can I get every bit of log of container for example "installing any package or executing any command in container" here My WazuhDemonSet file

apiVersion: apps/v1 kind: DaemonSet metadata: name: wazuh-daemonset namespace: default labels: k8s-app: wazuh-daemonset spec: selector: matchLabels: name: wazuh-daemonset template: metadata: labels: name: wazuh-daemonset spec: tolerations:

this toleration is to have the daemonset runnable on master nodes

  # remove it if your masters can't run pods
  - key: node-role.kubernetes.io/master
    effect: NoSchedule
  containers:
  - name: wazuh-daemonset
    image: <my-Custom-Image>
    resources:
      limits:
        memory: 200Mi
      requests:
        cpu: 100m
        memory: 200Mi
    volumeMounts:
    - name: docker
      mountPath: /var/run/docker.sock
    - name: varlibdockercontainers
      mountPath: /var/lib/docker/containers
    - mountPath: /var/run
      name: var-run
    - mountPath: /host/dev
      name: dev
    - mountPath: /host/sys
      name: sys
      readOnly: true
    - mountPath: /host/proc
      name: proc
      readOnly: true
    - mountPath: /host/etc
      name: etc
      readOnly: true
    - mountPath: /host/boot
      name: boot
      readOnly: true
    - mountPath: /host/usr
      name: usr
      readOnly: true
    - mountPath: /host/lib/modules
      name: modules
      readOnly: true
    - mountPath: /host/var/log
      name: log
      readOnly: true
  terminationGracePeriodSeconds: 5
  volumes:
  - name: varlibdockercontainers
    hostPath:
      path: /var/lib/docker/containers
  - name: docker
    hostPath:
      path: /var/run/docker.sock
  - name: var-run
    hostPath:
      path: /var/run
  - name: dev
    hostPath:
      path: /dev
  - name: sys
    hostPath:
      path: /sys
  - name: proc
    hostPath:
      path: /proc
  - name: etc
    hostPath:
      path: /etc
  - name: boot
    hostPath:
      path: /boot
  - name: usr
    hostPath:
      path: /usr
  - name: modules
    hostPath:
      path: /lib/modules
  - name: log
    hostPath:
      path: /var/log
rucciva commented 1 year ago

Hi all, just want to share my version of wazuh agent as daemonset, which need to share host network, ipc, pid, and chrooted to the mounted root of host so that all the default rules reference the actual host file (not the container file) with minimum changes to the host dir (create wazuh user if not exist and modify /var/ossec dir). https://github.com/TelkomIndonesia/wazuh-agent-docker/blob/master/wazuh-daemonset.yaml. Any feedbacks are welcome.