Question 1

How do I install kube-forensics on my Kubernetes cluster?

Accepted Answer

You need cluster administrator access: set your KUBECONFIG, checkout the repository, and run 'make deploy', as per the installation instructions. This deploys the controller and CRD to the forensics-system namespace.

Question 2

What data does kube-forensics capture during a pod checkpoint?

Accepted Answer

It captures the equivalent of docker inspect, diff, and export for containers, plus pod metadata, uploading it to S3. This includes container state, filesystem changes, and pod details for offline forensic analysis.

Question 3

kube-forensics vs other Kubernetes forensic tools like kube-hunter?

Accepted Answer

kube-forensics focuses on post-breach evidence capture via pod snapshots, while kube-hunter is a vulnerability scanner. They serve different purposes: forensics for investigation, hunting for proactive security testing.

Question 4

Can kube-forensics work with Google Cloud Storage or Azure Blob Storage instead of S3?

Accepted Answer

No, the README only specifies S3 integration with AWS bucket policies. It's designed for AWS, so alternative cloud storage would require modifications to the code or additional configuration.

Question 5

Is kube-forensics production ready?

Accepted Answer

It's an alpha version (0.1.0), so not recommended for production-critical environments. Expect instability and limited support; check for updates or community feedback before deployment.

Question 6

How does kube-forensics handle permissions for evidence collection?

Accepted Answer

It uses Kubernetes Jobs and requires node role permissions to access pods and upload to S3. You must configure S3 bucket policies to allow the cluster's node role, as shown in the example.

kube-forensics

What is kube-forensics?

Overview

Key Features

Philosophy

Related Projects

Found a gem we're missing?

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions