KSOC kubectl Guide

Kubernetes administrators can interact with KSOC within the cluster via kubectl.

KSOC Pod Logs

kubectl get pods

KSOC has four pods in each cluster in the namespace ksoc.

To list all the pods, run the command below.

kubectl get pods -n ksoc  

Example output:

kubectl get pods -n ksoc  
NAME                          READY   STATUS    RESTARTS        AGE  
ksoc-guard-67d494846c-r25nx   2/2     Running   0               5d18h  
ksoc-sbom-59b6b5477d-682q8    2/2     Running   1 (4d10h ago)   5d18h  
ksoc-sync-7d4968bf6-8hhls     1/1     Running   0               5d18h

kubectl logs {ksocPodName}

To view the logs for a pod, copy the pod name into the command below.

kubectl logs {ksocPodFullName} -n ksoc -c {ksocPodName}

Example output:

kubectl logs ksoc-guard-67d494846c-r25nx -n ksoc -c ksoc-guard
{"level":"info","app_name":"ksoc-guard","commit":"f397f2badc2fa406a6c2542d5c4d2a68713f0a44","version":"0.0.51","health-probe-port":8001,"metrics-port":8080,"webhook-port":9443,"time":"2022-12-07T23:00:02Z","message":"starting service"}
{"level":"info","app_name":"ksoc-guard","heartbeat_type":"guard","instance":"ksoc-guard-67d494846c-r25nx","metrics_namespace_prefix":"ksoc_guard","time":"2022-12-07T23:00:03Z","message":"Starting heartbeats sender"}
{"level":"warn","app_name":"ksoc-guard","error":"[POST /heartbeats][403] PostHeartbeats default  &{Code: RequestID: Status:0}","time":"2022-12-12T11:50:13Z","message":"Failed to send heartbeat"}

KSOC Guard Policies

kubectl get GuardPolicy

List all the in KSOC guard policies in the cluster with the command below.

kubectl get GuardPolicy --all-namespaces

Example output:

kubectl get GuardPolicy --all-namespaces
\NAMESPACE   NAME                                                    AGE
ksoc        policy-0a09756c-e04f-491e-a7d6-93d14418549a             12d
ksoc        policy-0c0704d5-fbdd-43de-a076-4b5c17a6d634             12d
ksoc        policy-10b2aed2-e635-42bd-a64c-bb3384d410d5             12d
ksoc        policy-1d602b98-d48d-4d78-a83b-6bd7918c6a06             12d
ksoc        policy-28ef6ecb-fab3-495f-9d71-e7891c6f54b0             12d
ksoc        policy-3505c297-742d-40d4-a484-a4e5621a06ce             12d
ksoc        policy-36aaab10-7df9-492e-b517-4012e105cedc             12d
ksoc        policy-36d8d4c9-c28e-4a67-a7cd-7086c0ec4134             12d
ksoc        policy-37321372-a833-413c-a894-68bdfcccc0fa             12d

You can also look at the content of one or more policies with the command below.

kubectl get GuardPolicy --all-namespaces -o yaml

Example output:

kubectl get GuardPolicy --all-namespaces -o yaml
apiVersion: v1
items:
- apiVersion: ksoc.com/v1alpha1
  kind: GuardPolicy
  metadata:
    annotations:
      ksoc.com/createdBy: ksoc
      ksoc.com/customTemplateID: KSOC-K8S-HOSTPATH-VOLUME
      ksoc.com/policyID: 2IEDTMo4vlACbAvrBaIsqEZIp8h
      ksoc.com/policyRevisionID: 2IEDTLiGN8z5pzir4hXAxBXP2yf
      ksoc.com/tag_category: workload security
      ksoc.com/tag_compliance_list: |-
        '{"nsaHardeningGuideline":"Kubernetes Pod Security",
        "cis-k8s-v1.23-benchmark":"5.2.12",
        "cis-eks-v1.1.0-benchmark":"",
        "cis-aks-v1.1.0-benchmark":"",
        "cis-gke-v1.2.0-benchmark":"",
        "cis-control-v8":"",
        "cis-controls-v8-name":""
        }'
      ksoc.com/tag_status: published
    creationTimestamp: "2022-12-01T18:32:34Z"
    finalizers:
    - guardpolicies.ksoc.com/finalizer
    generation: 1
    name: jack-0a1027d8-6b10-4038-a830-ee194f5b3ddc
    namespace: ksoc
    resourceVersion: "742621"
    uid: f90f426d-6ab4-452e-a2c8-c113709bc4f6
  spec:
    description: |-
      Do not generally admit containers which make use of hostPath volumes.
      Remediation: Containers found with container.volume mount with volume.hostPath set. Avoid the use of containers with hostpath volumes.
    match:
    - apiVersion: apps/v1
      kind: Deployment
    - apiVersion: apps/v1
      kind: Cronjob
    - apiVersion: apps/v1
      kind: ReplicaSet
    - apiVersion: apps/v1
....

kubectl get GuardPolicy {ksocGuardPolicyName}

To view a specific policy run the command below.

kubectl get GuardPolicy {ksocGuardPolicyName} -n ksoc -o yaml

Example output:

kubectl get GuardPolicy policy-0a09756c-e04f-491e-a7d6-93d14418549a -n ksoc -o yaml
apiVersion: ksoc.com/v1alpha1
kind: GuardPolicy
metadata:
  annotations:
    ksoc.com/createdBy: ksoc
    ksoc.com/customTemplateID: KSOC-K8S-RUNNING-AS-ROOT
    ksoc.com/policyID: 2IEDQMZgocbxUxlCoZgxu42XBGN
    ksoc.com/policyRevisionID: 2IEDQJ7sik86PtW9usWCzcP1vmt
    ksoc.com/tag_category: workload security
    ksoc.com/tag_compliance_list: |-
      '{"nsaHardeningGuideline":"Kubernetes Pod Security",
      "cis-k8s-v1.23-benchmark":"5.2.7",
      "cis-eks-v1.1.0-benchmark":"4.2.6",
      "cis-aks-v1.1.0-benchmark":"4.2.6",
      "cis-gke-v1.2.0-benchmark":"4.2.6",
      "cis-control-v8":"5.4",
      "cis-controls-v8-name":"Restrict Administrator Privileges to Dedicated Administrator Accounts"
      }'
    ksoc.com/tag_status: published
  creationTimestamp: "2022-11-30T18:15:09Z"
  finalizers:
  - guardpolicies.ksoc.com/finalizer
  generation: 1
  name: policy-0a09756c-e04f-491e-a7d6-93d14418549a
  namespace: ksoc
  resourceVersion: "356032"
  uid: 7b058a5d-9995-4d92-9e9c-7cae48abf3ab
spec:
  description: |-
    A workload is running as the root user which typically has excessive permissions on the host operating system. Containers should reduce permissions to only what is necessary and nothing more.
    Remediation: Containers were discovered where securityContext.RunAsNonRoot was not set to true. Set securityContext.RunAsNonRoot to true for all containers.
  match:
  - apiVersion: apps/v1
    kind: Deployment
  - apiVersion: apps/v1
    kind: Cronjob
  - apiVersion: apps/v1
    kind: ReplicaSet
  - apiVersion: apps/v1
    kind: DaemonSet
....