如何在K8s中审核用户在容器内运行的命令 [英] How to audit commands run by user inside a container in K8s
问题描述
我想审核用户正在运行的pod内正在运行的命令.
我知道kube-apiserver支持审核策略,该策略允许您记录对API所做的每个请求,但是据我所知,API审核仅记录exec命令,而不记录随后运行的内部命令.>
我认为一种方法是运行带有auditbeat的小车容器,但是它太重了,用户可能会杀死它.
容器应在其中运行单个进程.不建议在容器异常内部运行命令以进行测试.我们的大多数图像没有任何类型的外壳.
如果必须生成一个shell并在其中运行命令,那么您需要考虑是否有可能在该外部容器中运行?如果主进程已终止,但您的shell命令正在容器中运行,则k8s可能不会终止该Pod并重新创建一个新的Pod,这可能会影响HA
I want to audit commands that are being run by a user inside a running pod.
I know that kube-apiserver supports audit policies that allows you to log every request that is being done towards the API but as far as I know the API audit only records the exec command and not the inner commands run afterwards.
An approach that I thought is to have a sidecar container with auditbeat running but it's too heavy and the user might be able to kill it.
The container should run a single process inside. It is not recommended to run a command inside container exception for testing. Most of our image doesn't have any type of shell.
If you have to spawn a shell and run a command inside, Then you need to think about is it possible to run that outside container? If the main process is terminated but your shell commands are running in a container then k8s might not terminate that pod and recreate a new pod which might impact HA
这篇关于如何在K8s中审核用户在容器内运行的命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!