kubequery augments container runtime with Kubernetes cluster data

While osquery natively supports containerized workloads and provides visibility into the hosts and the containers running on those hosts, it lacked needed visibility into K8s pod security policies, network policies, roles, bindings and more. For security and DevOps teams using osquery and Kubernetes, kubequery now offers an open source solution that combines container runtime with K8s cluster telemetry for enhanced security observability. Modern defenders can now solve for container security at the individual and pod level, monitor configuration and security policies, and adhere to audit and compliance requirements.

kubequery runs as an extension to osquery and leverages the power of normalization so that new insights across your container deployments are just a SQL JOIN away. Like osquery, kubequery data can be delivered to destinations including files, sockets, Kineses, and Kafka.

kubequery Empowers Security and DevOps Teams To:

  • Identify privileged containers
  • Inventory active Kubernetes pods
  • Monitor pod security policies
  • Reconstruct the state of a cluster at a historical point in time
  • Conform to CIS Benchmark compliance standards
  • Perform real-time investigations and root cause analysis

How kubequery Works

kubequery is installed as a kubernetes Deployment and runs as a non-root user. There is only one container of kubequery running per K8S cluster. 

kubequery-how it works

Once installed, kubequery communicates with a K8s API server to retrieve necessary K8s objects. The role and secret it is provisioned with allows kubequery to make get, list and watch API calls. When a kubernetes table is queried, osquery passes the call to kubequery to retrieve the necessary K8s objects and details. Kubequery then converts that information from JSON format to structured SQL and is delivered to whichever destination -- files, sockets, Kineses, Kafka, etc -- that osquery is configured for. Currently all K8s API resources and K8s versions are supported. All major K8s distributions and SaaS offerings including generic Kubernetes, Red Hat OpenShift, AWS EKS, Google Cloud GKE, Azure AKS, etc. are supported.

Learn More & Contribute To kubequery

You can explore details, test & install kubequery, or submit a contribution by visiting the kubequery repository on GitHub. Read more about kubequery from one of its developers in this blog article

Uptycs engineering resources are dedicated to advancing kubequery’s open source capabilities along with meaningful contributions from the developer community. Near term improvements will focus on Istio support, K8s events, the ability to customize osquery functionality to avoid unnecessary flags/tables, and more. 

Install kubequery Extension