How to Import Data from Kubernetes
How Does Cado Import Data from EKS, ECS, AKS, and GKE?
When acquiring data from Kubernetes containers, Cado follows these steps by default:
- Executes a shell script to download the Cado Host binary.
- Runs the binary to collect forensic artifacts.
- Uploads the collected files to cloud storage for processing.
The method used to execute the script depends on the environment. For example, ECS uses ECS execute, while EKS, AKS, and GKE use the Kubernetes control plane API, as explained here.
Authentication to the Kubernetes API may require both IAM and Kubernetes RBAC permissions, which are described in service-specific documentation.
Alternate Collection by Acquiring the Volume of the Node
If executing code inside the container or connecting over the network is not possible, you can acquire the volume of the node running the container. For example, this approach works for EKS running on EC2 nodes.
- If using the Docker container runtime, container file systems are usually available at
/var/lib/docker/overlay2
. - If using the Containerd runtime (which is now the default for EKS), the container file system is not immediately visible. Cado is working on supporting containerd-based volume acquisitions.
Alternate Collection by Using Cado Host with a Sidecar Container
Cado supports collecting from private clusters and distroless containers by using a debug container.
To acquire data:
- Navigate to Import > Cado Host.
- Select Kubernetes and follow the prompts.
This will use a command such as the following to start a debug container and execute Cado Host:
kubectl debug -it pod-name --image=debian:latest --target=target-container -n pod-namespace -- sh -c
The diagram below provides a high-level overview of how this works:
Kubernetes RBAC Requirements
Cado requires write and execute access to containers to download and run the Cado Host binary. Specifically, Cado requires get
and list
permissions for the pods
resource, and get
and create
permissions for the pods/exec
resource.
Using a Custom Image
In environments where the default debian:latest
image is not supported, you can use a custom image. The custom image must have the latest Cado Host Linux binary located at /tmp/cado-host-static/cado-host
. However, Cado recommends using the default debian:latest
image for supportability.
Root Access
By default, Cado Host requires root access to access the underlying container file system (usually under /proc/{PID}/root
). The runuser
command with the root user is also required to give the Cado Host process the appropriate UID and GID.
For Kubernetes v1.30 or later, you can optionally use the "Run as non-root user" option, which leverages the sysadmin profile to access the container file system.
Private Clusters with No Network Access
Cado requires access to the Kubernetes control plane API to acquire containers via the user interface. If network access to the Kubernetes API is not available, alternate options for acquiring data are needed.
Private AKS Clusters
Cado can acquire private AKS clusters using the normal user interface, thanks to Azure's "command invoke" feature for private clusters.
Private GKE Clusters
Cado is exploring support for private GKE clusters through public endpoints on private clusters.
Private EKS Clusters
Private EKS clusters can be configured to be accessible only from within the VPC they reside in or connected networks (e.g., peered VPCs). If the cluster is configured with "Private endpoint only," you will need to use a method like VPC peering or another connection option to access the API.
If Cado cannot access the cluster endpoint, you can use the Alternate Private EKS Cluster Access method described below.
Alternate Private EKS Cluster Access
If the Cado platform does not have access to the cluster endpoint, you can acquire data by deploying the Cado Host acquisition script.
To do this, connect to your EKS cluster using a command like:
aws eks update-kubeconfig --region $Region --name $ClusterName
Follow AWS’s instructions here.
Then execute the kubectl
script generated at Import > Cado Host > Kubernetes.
Methods for Executing Kubernetes API Commands Inside a Private Cluster VPC
Various methods can be used to access the Kubernetes API in a private VPC, including:
- Bastion Hosts
- SSM (AWS Systems Manager)
- AWS PrivateLink
- AWS Cloud9
- VPN/Direct Connect
For details on these methods, refer to the following resources:
-
Bastion Hosts:
-
SSM:
-
VPN/Direct Connect:
-
PrivateLink:
-
Cloud9: