Kube-Forensics

kube - investigation permits a bunch overseer to dump the present status of a running unit and every one of its compartments so security experts can perform disconnected scientific examination.

In case of a security break, individuals from the Security Group need to look at the condition of the Unit and play out a definite legal sciences examination to decide the method of assault. Be that as it may, the business might want to end the Case and fully recover handling as fast as could really be expected. kube-legal sciences was created to permit a group executive to dump the condition of a running Case for disconnected examination.

The criminology regulator supervisor deals with a PodCheckpoint custom asset definition (CRD). The PodCheckpoint asset runs a Kubernetes Occupation on a similar hub as the objective unit and plays out what might be compared to the accompanying procedure on the demonstrated case/compartments:

docker inspect

docker diff

docker export

Moreover, it gathers some meta-information about the objective unit. The result is transferred to the objective Stockpiling.

You must have cluster administrator access to deploy kube-investigation to a running cluster.

1. Insure your KUBECONFIG and current context correctly points to the desired cluster.

2. Checkout kube-forensics repository

3. Change directory into the root of the repository

4. Run make deploy

For instance:

$ cd kube-forensics

$ make deploy

Once the kube-forensics controller is installed, a PodCheckpoint spec can be submitted for processing. 

Sample Output:

Save the following yaml file to testing.yaml and modify the destination, pod and namespace to valid values for your cluster.

apiVersion: forensics.keikoproj.io/v1alpha1

kind: PodCheckpoint

metadata:

  name: podcheckpoint-sample

  namespace: forensics-system

spec:

  destination: cosmosDB://my-bucket-123456789000-us-west-2

  subpath: forensics

  pod: bad-pod-1234567890-dead1

  namespace: default

Submit and Verify:

$ kubectl apply -f ./config/samples/forensics_v1alpha1_podcheckpoint.yaml

podcheckpoint.forensics.keikoproj.io/podcheckpoint-sample created

$ kubectl get -n forensics-system PodCheckpoint

NAME                   AGE

podcheckpoint-sample   33s

Check the state of the PodCheckpoint:

$ kubectl describe PodCheckpoint -n forensics-system podcheckpoint-sample

Name:         podcheckpoint-sample

Namespace:    forensics-system

Labels:       <none>

Annotations:  kubectl.kubernetes.io/last-applied-configuration:

                {"apiVersion":"forensics.keikoproj.io/v1alpha1","kind":"PodCheckpoint","metadata":{"annotations":{},"name":"podcheckpoint-sample","namespac...

API Version:  forensics.keikoproj.io/v1alpha1

Kind:         PodCheckpoint

Metadata:

  Creation Timestamp:  2023-08-14T23:19:13Z

  Generation:          2

  Resource Version:    595318

  Self Link:           /apis/forensics.keikoproj.io/v1alpha1/namespaces/forensics-system/podcheckpoints/podcheckpoint-sample

  UID:                 edbe3bd6-bee9-11e9-a5c6-0afa5b77e74c

Spec:

  Destination:  <Storage path>

  Namespace:    default

  Pod:          bad-pod-1234567890-dead1

  Subpath:      forensics

Status:

  Completion Time:  2023-08-14T23:19:13Z

  Conditions:

    Last Probe Time:       2023-08-14T23:19:13Z

    Last Transition Time:  2023-08-14T23:19:13Z

    Message:               The specified Pod 'bad-pod-1234567890-dead1' was found in the 'default' namespace.

    Reason:                Found

    Status:                True

    Type:                  True

  Start Time:              2023-08-14T23:19:13Z

Events:                    <none>