osquery is a SQL powered operating system instrumentation, monitoring, and analytics tool that exposes an operating system as a relational database. Using SQL, you can run queries to gain the status of your entire infrastructure. What’s cool about osquery is how easy it is to use the SQL query interface. kube-query is an open source reporting tool for Kubernetes that lets you visualize your clusters.
Kube-query is a standalone Go binary file that acts as a broker between your Kubernetes cluster and osquery. Kube-query interfaces with the Kubernetes cluster using the Kubernetes API.
Simple Interfaces Work Best
Say you’re querying all the pods that are running in every namespace, with their associated IP addresses. You can do this with kube-query. A simple query like the one below does the trick:
A similar query using the default Kubernetes command line tool, kubectl, would look something like this:
$ kubectl get pods --all-namespaces -o custom-columns=NAME:.metadata.name,IP:.status.podIP
NAME | IP |
compose-7b7c5cbbcc-gjwvj compose-api-dbbf7c5db-b2cjc coredns-5c98db65d4-644wk coredns-5c98db65d4-nt54b etcd-docker-desktop kube-apiserver-docker-desktop kube-controller-manager-docker-desktop kube-proxy-z42fw kube-scheduler-docker-desktop |
10.1.0.112 192.168.65.3 10.1.0.114 10.1.0.113 192.168.65.3 192.168.65.3 192.168.65.3 192.168.65.3 192.168.65.3 |
It is clear to see that Kube-query makes it much easier to query and view the status of your cluster than kubectl does.
Where Kube-query truly shines is when you combine information across different types of resources. Because osquery supports SQL-style JOIN, you can easily combine information in a variety of ways.
Combining Multiple Sources
Think of a situation where you want to know if privileged pods are running in your cluster. This can be useful information when you want to evaluate your threat model and limit the presence of privileged pods within a cluster.
If you want to pull information from multiple sources using the kubectl command line tool, you need to run a query that looks like this:
$ kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{.metadata.name}{"t"}{.spec.containers[*].image}{"t"}{..namespace}{"n"}{end}'
compose-7b7c5cbbcc-gjwvj compose-api-dbbf7c5db-b2cjc coredns-5c98db65d4-644wk coredns-5c98db65d4-nt54b etcd-docker-desktop kube-apiserver-docker-desktop kube-proxy-z42fw kube-scheduler-docker-desktop |
docker/kube-compose-controller:v0.4.23 docker/kube-compose-api-server:v0.4.23 k8s.gcr.io/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1 k8s.gcr.io/etcd:3.3.10 k8s.gcr.io/kube-apiserver:v1.15.5 k8s.gcr.io/kube-proxy:v1.15.5 k8s.gcr.io/kube-scheduler:v1.15.5 |
docker docker kube-system kube-system kube-system kube-system kube-system kube-system |
As you can see, it’s not a really intuitive and straightforward query to run, and the format is not easy to read. Additionally, the query requires the use of JSONPath.
Here’s the same example, this time showing how kube-query combines multiple types of resources:
The above table lists all the pods that are running as privileged, along with their image names. It is important to note that knowing what images are running as part of your deployment could also be useful in understanding the potential threat vectors. Vulnerabilities present in these images can affect your entire cluster.
How Does It Work?
osquery provides an interface for extensibility. Kube-query is an osquery extension that bridges the gap between osquery and Kubernetes. Kube-query communicates with the Kubernetes API in the backend to gather various sources of information, parses, and massages the data, and presents it in a form that can be consumed by osquery.
Kube-query is written in Golang and uses the Go Kubernetes client to interface with the Kubernetes API. Kube-query communicates with osquery using a UNIX socket over remote procedure calls made through Thrift.
Thrift is a code-generation service development framework. osquery exposes a Thrift interface for extensions to communicate with its core for various purposes like custom table implementations in the case of kube-query.
To Summarize
Kube-query is an open source, osquery broker, Kubernetes reporting tool, that enables you to quickly and easily query your clusters. Kube-query is currently in an experimental state and is available from GitHub.