I'm trying to run sysdig on my local kubernetes cluster which I'm running using minikube with kvm2 as the vm-driver. I'm new to sysdig and wanted to find the system calls run by by a pod.
The command I ran is:
sudo sysdig k8s.ns.name=default or k8s.pod.name=algorithm
The pods were running (I checked) but no system calls got trough.
I checked with with the kubectl describe command if the namespace was correct; which it is. So I'm not sure where this is going wrong. It might be that sysdig doesn't find anything because minikube is using the aforementioned VM. If that is the case, I'm not sure how to run sysdig inside it.
Thanks in advance
If you setup the Sysdig correctly Kubernetes Audit Logging should work.
Sysdig Secure allows users to create Falco security rules based on a stream of Kubernetes audit events, integrating Kubernetes audit logging with the Sysdig Agent. This allows users to track changes made to the cluster, including:
- Creation and destruction of pods, services, deployments, daemonsets, etc.
- Creating/updating/removing config maps or secrets
- Attempts to subscribe to changes to any endpoint
Docs states that Sysdig supports Minikube from 0.33.1 and later, using default Virtualbox driver.
To enable audit logging in Minikube you need to:
Clone / download the repository: https://github.com/draios/sysdig-cloud-scripts.
The repository contains the following relevant files:
k8s_audit_config/audit-policy.yaml
For more information on configuring the audit events passed to the agent, refer to the Kubernetes documentation.
k8s_audit_config/[webhook-config.yaml.in](http://webhook-config.yaml.in/)
k8s_audit_config/enable-k8s-audit.sh
Run the following command in the
sysdig-cloud-scripts/k8s_audit_config
directory to enter the necessary values to the[webhook-config.yaml.in](http://webhook-config.yaml.in/)
file:
AGENT_SERVICE_CLUSTERIP=$(kubectl get service sysdig-agent -o=jsonpath={.spec.clusterIP}) envsubst < webhook-config.yaml.in > webhook-config.yaml
Run the
enable-k8s.sh
script to enable audit log support on the apiserver:
bash ./enable-k8s-audit.sh minikube