How to Import Data from Kubernetes

How Does Cado Import Data from EKS, ECS, AKS, and GKE?

When acquiring data from Kubernetes containers, Cado follows these steps by default:

• Executes a shell script to download the Cado Host binary.
• Runs the binary to collect forensic artifacts.
• Uploads the collected files to cloud storage for processing.

The method used to execute the script depends on the environment. For example, ECS uses ECS execute, while EKS, AKS, and GKE use the Kubernetes control plane API, as explained here.

Authentication to the Kubernetes API may require both IAM and Kubernetes RBAC permissions, which are described in service-specific documentation.

Alternate Collection by Acquiring the Volume of the Node

If executing code inside the container or connecting over the network is not possible, you can acquire the volume of the node running the container. For example, this approach works for EKS running on EC2 nodes.

• If using the Docker container runtime, container file systems are usually available at /var/lib/docker/overlay2.
• If using the Containerd runtime (which is now the default for EKS), the container file system is not immediately visible. Cado is working on supporting containerd-based volume acquisitions.

Alternate Collection by Using Cado Host with a Sidecar Container

Cado supports collecting from private clusters and distroless containers by using a debug container.

To acquire data:

• Navigate to Import > Cado Host.
• Select Kubernetes and follow the prompts.

This will use a command such as the following to start a debug container and execute Cado Host:

kubectl debug -it pod-name --image=debian:latest --target=target-container -n pod-namespace -- sh -c

The diagram below provides a high-level overview of how this works:

Kubernetes RBAC Requirements

Cado requires write and execute access to containers to download and run the Cado Host binary. Specifically, Cado requires get and list permissions for the pods resource, and get and create permissions for the pods/exec resource.

Using a Custom Image

In environments where the default debian:latest image is not supported, you can use a custom image. The custom image must have the latest Cado Host Linux binary located at /tmp/cado-host-static/cado-host. However, Cado recommends using the default debian:latest image for supportability.

Root Access

By default, Cado Host requires root access to access the underlying container file system (usually under /proc/{PID}/root). The runuser command with the root user is also required to give the Cado Host process the appropriate UID and GID.

For Kubernetes v1.30 or later, you can optionally use the "Run as non-root user" option, which leverages the sysadmin profile to access the container file system.

Private Clusters with No Network Access

Cado requires access to the Kubernetes control plane API to acquire containers via the user interface. If network access to the Kubernetes API is not available, alternate options for acquiring data are needed.

Private AKS Clusters

Cado can acquire private AKS clusters using the normal user interface, thanks to Azure's "command invoke" feature for private clusters.

Private GKE Clusters

Cado is exploring support for private GKE clusters through public endpoints on private clusters.

Private EKS Clusters

Private EKS clusters can be configured to be accessible only from within the VPC they reside in or connected networks (e.g., peered VPCs). If the cluster is configured with "Private endpoint only," you will need to use a method like VPC peering or another connection option to access the API.

If Cado cannot access the cluster endpoint, you can use the Alternate Private EKS Cluster Access method described below.

Alternate Private EKS Cluster Access

If the Cado platform does not have access to the cluster endpoint, you can acquire data by deploying the Cado Host acquisition script.

To do this, connect to your EKS cluster using a command like:

aws eks update-kubeconfig --region $Region --name $ClusterName

Follow AWS’s instructions here.

Then execute the kubectl script generated at Import > Cado Host > Kubernetes.

Methods for Executing Kubernetes API Commands Inside a Private Cluster VPC

Various methods can be used to access the Kubernetes API in a private VPC, including:

• Bastion Hosts
• SSM (AWS Systems Manager)
• AWS PrivateLink
• AWS Cloud9
• VPN/Direct Connect

For details on these methods, refer to the following resources:

• Bastion Hosts:

  • How to connect using a Bastion Host
  • Terraform setup for a Bastion Host

• SSM:

  • Securely connect to a private EKS cluster using AWS SSM

• VPN/Direct Connect:

  • AWS VPC Connectivity Options
  • OpenVPN setup for private EKS API endpoint

• PrivateLink:

  • Using PrivateLink with EKS
  • EKS VPC Interface Endpoints

• Cloud9:

  • Connecting to an EKS Cluster from Cloud9