Running Auditbeat on Kubernetes

edit

Auditbeat Docker images can be used on Kubernetes to check files integrity.

Running Elastic Cloud on Kubernetes? See Run Beats on ECK.

Kubernetes deploy manifests

edit

By deploying Auditbeat as a DaemonSet we ensure we get a running instance on each node of the cluster.

Everything is deployed under kube-system namespace, you can change that by updating the YAML file.

To get the manifests just run:

curl -L -O https://raw.githubusercontent.com/elastic/beats/8.17/deploy/kubernetes/auditbeat-kubernetes.yaml

If you are using Kubernetes 1.7 or earlier: Auditbeat uses a hostPath volume to persist internal data, it’s located under /var/lib/auditbeat-data. The manifest uses folder autocreation (DirectoryOrCreate), which was introduced in Kubernetes 1.8. You will need to remove type: DirectoryOrCreate from the manifest and create the host folder yourself.

Settings

edit

Some parameters are exposed in the manifest to configure logs destination, by default they will use an existing Elasticsearch deploy if it’s present, but you may want to change that behavior, so just edit the YAML file and modify them:

- name: ELASTICSEARCH_HOST
  value: elasticsearch
- name: ELASTICSEARCH_PORT
  value: "9200"
- name: ELASTICSEARCH_USERNAME
  value: elastic
- name: ELASTICSEARCH_PASSWORD
  value: changeme
Running Auditbeat on control plane nodes
edit

Kubernetes control plane nodes can use taints to limit the workloads that can run on them. To run Auditbeat on control plane nodes you may need to update the Daemonset spec to include proper tolerations:

spec:
 tolerations:
 - key: node-role.kubernetes.io/control-plane
   effect: NoSchedule

Deploy

edit

To deploy Auditbeat to Kubernetes just run:

kubectl create -f auditbeat-kubernetes.yaml

Then you should be able to check the status by running:

$ kubectl --namespace=kube-system get ds/auditbeat

NAME       DESIRED   CURRENT   READY     UP-TO-DATE   AVAILABLE   NODE-SELECTOR   AGE
auditbeat   32        32        0         32           0           <none>          1m

Auditbeat is able to monitor the file integrity of files in pods, to do that, the directories with the container root file systems have to be mounted as volumes in the Auditbeat container. For example, containers executed with containerd have their root file systems under /run/containerd. The reference manifest contains an example of this.