Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/aquasecurity/kube-query
[EXPERIMENTAL] Extend osquery to report on Kubernetes
https://github.com/aquasecurity/kube-query
osquery
Last synced: 3 months ago
JSON representation
[EXPERIMENTAL] Extend osquery to report on Kubernetes
- Host: GitHub
- URL: https://github.com/aquasecurity/kube-query
- Owner: aquasecurity
- License: apache-2.0
- Created: 2019-07-31T15:01:02.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2021-03-04T22:14:31.000Z (over 3 years ago)
- Last Synced: 2024-06-18T21:46:23.073Z (5 months ago)
- Topics: osquery
- Language: Go
- Homepage:
- Size: 14.5 MB
- Stars: 222
- Watchers: 11
- Forks: 16
- Open Issues: 10
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-repositories - aquasecurity/kube-query - [EXPERIMENTAL] Extend osquery to report on Kubernetes (Go)
README
# kube-query
kube-query is an extension for [osquery](https://osquery.io), letting you visualize your cluster using sql queries.
Deployment
===
### Prerequisites
#### Go v1.12+
### build
```bash
$ export GO111MODULE=on
$ go build kube-query.go
```
## Running kube-query
**When running kube-query, you should always pass the `-kubeconfig` flag, specifying the path to your kubeconfig file.**
## osqueryi
When using the [osqueryi tool](https://osquery.readthedocs.io/en/stable/introduction/using-osqueryi/) you can easily register kube-query by passing the -socket parameter to kube-query on another process. For example:
`./kube-query -socket="/path/to/osquery/socket" -kubeconfig="/path/to/kubeconfig.yml"`
One way to get the path to the osquery socket is like this:
```
osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+
```
There are many other options to automatically [register extensions](https://osquery.readthedocs.io/en/stable/deployment/extensions/).
###
Example Queries
===
```sql
# query all kube-system pods
SELECT * FROM kubernetes_pods WHERE namespace="kube-system";
# query all containers created by kubernetes
SELECT * FROM kubernetes_containers;
# query all pods that runs with a privileged container
SELECT *
FROM kubernetes_containers
JOIN kubernetes_pods
ON kubernetes_containers.pod_uid=kubernetes_pods.uid
WHERE privileged="True";
```