Ycsecurity/auditlogs/cilium-s3

"cilium-s3" Export flow logs of Cilium to Yandex Cloud Object Storage

Version

Version-1.0

• Changelog:
  • First version
• Docker images:
  • cr.yandex/sol/cilium-s3:1
• Helm chart:
  • cr.yandex/sol/cilium-s3-chart:0.1.0

Solution Description

Connects via gRPC to hubble-relay and sends netflow events to Object Storage Then you can pick up these events from Object Storage to any SIEM using GeeseFS or other aws compatible plugins

Or using prepared Object Storage integrations in the following SIEMs:

• Object storage to Splunk
• Cilium flow logs to Elasticsearch Скоро!!!

Installing with helm

Prerequisites

• :white_check_mark: Yandex Managed Service for Kubernetes® with Cilium CNI enabled
• :white_check_mark: Object Storage Bucket
• :white_check_mark: Created static keys for service account
• :white_check_mark: Installed Helm client

Install helm-chart

Install helm hart by replacing the values with your own (specified in the prerequisites)

helm install cilium-s3-chart oci://cr.yandex/sol/cilium-s3-chart --version 0.1.0 --namespace cilium-s3 --create-namespace \
--set yandex.secretaccesskey=<your-secretaccesskey> \
--set yandex.bucket=<your-Bucket-name> \
--set yandex.accesskeyid=<your-accesskeyid> \
--set yandex.prefix=<your-secretaccesskey> (например:k8s-cilium-flow-logs/cluster-id-1232145gfg) 

Helm values:
yandex:
-    accesskeyid: ""  # yandex access key
-    secretaccesskey: ""  # yandex secret access key
-    bucket: ""  # Yandex storage, bucket name
-    hubble_url: "hubble-relay.kube-system.svc.cluster.local:80" # Hubble-url
-    prefix: "k8s-cilium-flow-logs/" # Prefix of bucket folder
-    region: "ru-central1" # region of S3
-    endpoint: "https://storage.yandexcloud.net" # endpoint of S3