kube-query
kube-query is an extension for osquery, letting you visualize your cluster using sql queries.
Deployment
Prerequisites
Go v1.12+
build
$ export GO111MODULE=on
$ go build kube-query.go
Running kube-query
When running kube-query, you should always pass the -kubeconfig
flag, specifying the path to your kubeconfig file.
osqueryi
When using the osqueryi tool you can easily register kube-query by passing the -socket parameter to kube-query on another process. For example:
./kube-query -socket="/path/to/osquery/socket" -kubeconfig="/path/to/kubeconfig.yml"
One way to get the path to the osquery socket is like this:
osqueryi --nodisable_extensions
osquery> select value from osquery_flags where name = 'extensions_socket';
+-----------------------------------+
| value |
+-----------------------------------+
| /Users/USERNAME/.osquery/shell.em |
+-----------------------------------+
There are many other options to automatically register extensions.
Example Queries
# query all kube-system pods
SELECT * FROM kubernetes_pods WHERE namespace="kube-system";
# query all containers created by kubernetes
SELECT * FROM kubernetes_containers;
# query all pods that runs with a privileged container
SELECT *
FROM kubernetes_containers
JOIN kubernetes_pods
ON kubernetes_containers.pod_uid=kubernetes_pods.uid
WHERE privileged="True";