如何在K8s中审核用户在容器内运行的命令 [英] How to audit commands run by user inside a container in K8s

问题描述

我想审核用户正在运行的pod内正在运行的命令.

我知道kube-apiserver支持审核策略，该策略允许您记录对API所做的每个请求，但是据我所知，API审核仅记录exec命令，而不记录随后运行的内部命令.

我认为一种方法是运行带有auditbeat的小车容器，但是它太重了，用户可能会杀死它.

解决方案

容器应在其中运行单个进程.不建议在容器异常内部运行命令以进行测试.我们的大多数图像没有任何类型的外壳.

如果必须生成一个shell并在其中运行命令，那么您需要考虑是否有可能在该外部容器中运行?如果主进程已终止，但您的shell命令正在容器中运行，则k8s可能不会终止该Pod并重新创建一个新的Pod，这可能会影响HA

I want to audit commands that are being run by a user inside a running pod.

I know that kube-apiserver supports audit policies that allows you to log every request that is being done towards the API but as far as I know the API audit only records the exec command and not the inner commands run afterwards.

An approach that I thought is to have a sidecar container with auditbeat running but it's too heavy and the user might be able to kill it.

解决方案

The container should run a single process inside. It is not recommended to run a command inside container exception for testing. Most of our image doesn't have any type of shell.

If you have to spawn a shell and run a command inside, Then you need to think about is it possible to run that outside container? If the main process is terminated but your shell commands are running in a container then k8s might not terminate that pod and recreate a new pod which might impact HA

这篇关于如何在K8s中审核用户在容器内运行的命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！