Running Auditbeat on Kubernetes
editRunning Auditbeat on Kubernetes
editAuditbeat Docker images can be used on Kubernetes to check files integrity.
Running Elastic Cloud on Kubernetes? See Run Beats on ECK.
However, version 9.0.0-beta1 of Auditbeat has not yet been released, so no Docker image is currently available for this version.
Kubernetes deploy manifests
editBy deploying Auditbeat as a DaemonSet we ensure we get a running instance on each node of the cluster.
Everything is deployed under kube-system
namespace, you can change that by
updating the YAML file.
To get the manifests just run:
curl -L -O https://raw.githubusercontent.com/elastic/beats/master/deploy/kubernetes/auditbeat-kubernetes.yaml
If you are using Kubernetes 1.7 or earlier: Auditbeat uses a hostPath volume to persist internal data, it’s located
under /var/lib/auditbeat-data. The manifest uses folder autocreation (DirectoryOrCreate
), which was introduced in
Kubernetes 1.8. You will need to remove type: DirectoryOrCreate
from the manifest and create the host folder yourself.
Settings
editSome parameters are exposed in the manifest to configure logs destination, by default they will use an existing Elasticsearch deploy if it’s present, but you may want to change that behavior, so just edit the YAML file and modify them:
- name: ELASTICSEARCH_HOST value: elasticsearch - name: ELASTICSEARCH_PORT value: "9200" - name: ELASTICSEARCH_USERNAME value: elastic - name: ELASTICSEARCH_PASSWORD value: changeme
Running Auditbeat on control plane nodes
editKubernetes control plane nodes can use taints to limit the workloads that can run on them. To run Auditbeat on control plane nodes you may need to update the Daemonset spec to include proper tolerations:
spec: tolerations: - key: node-role.kubernetes.io/control-plane effect: NoSchedule
Deploy
editTo deploy Auditbeat to Kubernetes just run:
kubectl create -f auditbeat-kubernetes.yaml
Then you should be able to check the status by running:
$ kubectl --namespace=kube-system get ds/auditbeat NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE auditbeat 32 32 0 32 0 <none> 1m
Auditbeat is able to monitor the file integrity of files in pods,
to do that, the directories with the container root file systems have to be
mounted as volumes in the Auditbeat container. For example, containers
executed with containerd have their root file systems under /run/containerd
.
The reference manifest contains an example of this.