Skip to content

clustergarage/janusd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
janus-proto @ 66d3a5b
janus-proto @ 66d3a5b
 
 
lib
lib
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
CMakeLists.txt
CMakeLists.txt
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

janusd

Docker Automated build Latest Janus release

This repository implements a daemon process responsible for maintaining a collection of fanotify-style listeners defined by the user to gain insights into when certain key events happen at the filesystem level of their container.

Purpose

This daemon is able to perform a series of flexible tasks combined with a rich set of configurations around guarding inode events:

  • Serves a gRPC endpoint running on each node, that can be communicated with by the Kubernetes janus-controller.
  • Extends out-of-the-box fanotify with recursive file tree options.
  • Handles multi-threaded operations of creating guards, handling event stream message and logging them in a common, configurable way.
  • Reports its current state back to the controller, which syncs current state with desired.
  • Perform health checks for readiness and liveness probes in Kubernetes.

Usage

Once cloned you should update the janus-proto submodule to make sure it's up-to-date with the latest shared definitions:

git submodule foreach git pull origin master

Prerequisites

  • C++14 — for runtime, makes use of new language features
  • cmake v3.10+ — for building the binary locally
  • gRPC — as a communication protocol to the controller
  • Protobuf — for a common type definition

Building

To build a local copy of the binary to run or troubleshoot with:

mkdir build && cd $_
cmake ..
make -j$(nproc --all)

Or if you wish to build as a Docker container and run this from a local registry:

docker build -t clustergarage/janusd .

Running

To run locally, you must do so with elevated privilege in order to access the full rights to procfs:

# in the build/ directory

# running without secure credentials
sudo ./janusd

# running with secure credentials
sudo ./janusd -tls \
  -tlscafile /etc/ssl/ca.pem \
  -tlscertfile /etc/ssl/cert.pem \
  -tlskeyfile /etc/ssl/key.pem

Warning: When running the daemon out-of-cluster in a VM-based Kubernetes context, it will fail to locate the PID from the container ID through numerous cgroup checks and will be unable to start any guards. The solution to get around this is to either run a non-VM-based local Kubernetes, or to run as a pod inside the cluster. The configurations in order to do the latter option are located in the janus repo.

About

Janus Daemon - File Access Auditing for Kubernetes

clustergarage.github.io/janus

Topics

security monitoring-daemon

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages