Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KhaaS : Bug into playbook and GRPC server doesn't works #257

Open
theoberthier opened this issue Sep 11, 2024 · 8 comments
Open

KhaaS : Bug into playbook and GRPC server doesn't works #257

theoberthier opened this issue Sep 11, 2024 · 8 comments
Assignees
@jt-dd
Labels
bug Something isn't working

Comments

@theoberthier
Copy link

Describe the bug

  1. To have ui-jupyter i must modifed docker-compose.release.yaml to add your jupyter ui image

  2. kubehound dump remote => add env on host :

    • AWS_ACCESS_KEY_ID=<>
    • AWS_SECRET_ACCESS_KEY=<>
    • AWS_DEFAULT_REGION=<>
    • AWS_ENDPOINT_URL=http://:

  3. GRPC server deny connection

To Reproduce
Steps to reproduce the behavior:

  1. launch all stack with :
    "docker compose -f docker-compose.yaml -f docker-compose.release.yaml -f docker-compose.release.ingestor.yaml up -d"
    in /Kubehound/deployments/kubehound/
    this error it's raise : service "ui-jupyter" has neither an image nor a build context specified: invalid compose project

  2. GRPC aren't reachable :
    add env variable describe in 2.
    when i try to reach the endpoint :9000, with grpc client or ./bin/build/kubehound dump remote --bucket s3://kh-bucket --insecure --khaas-server 10.10.20.50:9000

INFO[17:05:58] Loading application from inline command      
INFO[17:05:58] Using /home/<user>/.config/kubehound.yaml for default config 
INFO[17:05:58] Initializing application telemetry           
WARN[17:05:58] Telemetry disabled via configuration         
INFO[17:05:58] Loading Kubernetes data collector client     
WARN[17:05:58] About to dump k8s cluster: "default" - Do you want to continue ? [Yes/No] 


-----------------
INFO[17:06:01] Launching ingestion on <ip>:9000 [rundID: 01j7h0s28d1m5hckz4gbgngwaa] 
FATA[17:06:01] call Ingest (default:01j7h0s28d1m5hckz4gbgngwaa): rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing: dial tcp <ip>:9000: connect: connection refused"

i tried to logs a container, and execute shell inside to debug it, but i can't launch anything with docker exec -it ....

Expected behavior
When i launch ./kubehound dump remote ........ i except to push dump into s3 bucket (it's works) and i want to send RPC request to my GRPC server
@jt-dd jt-dd added the bug Something isn't working label Sep 13, 2024
@jt-dd jt-dd self-assigned this Sep 13, 2024
@jt-dd jt-dd mentioned this issue Sep 13, 2024
Merged
@jt-dd
Copy link
Contributor

jt-dd commented Sep 13, 2024

Thanks for reporting the issue. I spotted some errors regarding the deployment example. We are deploying a fix #265 . Can you try redeploying with the following file:

Also for easier setup, we are adding env variable to setup the ingestor/grpc image #264. Regarding your config what did you use regarding the ingestor.api.endpoint and ingestor.api.insecure ?

@jt-dd
Copy link
Contributor

jt-dd commented Sep 13, 2024

Everything have been updated in v1.5.1. It should work out of the box now. You can setup your environment using the env variable KH_*.

@theoberthier
Copy link
Author

I have try to deploy v1.5.1 and in docker-compose.yaml, in ui-jupyter, the field "profile" stop the deployment of jupyter ui.
When i move profile, the deployment works or i put --profile jupyter, but the documentation don't talk about this.

  • For the GRPC server, i have configured the KH_* env and i have "connection refused"
  • For the bucket env i don't saw the env variable for the endpoint of bucket, to default, they s3 command like aws s3 ls s3 used the domain name of amazon , my-bucket.s3.amazon .... and i have need to specified a enpoint-url to contact my local s3 bucket.
    In version 1.4.0, AWS_ENDPOINT_URL is understood by Kubehound and I saw that the blob storage step was successful, but this is not the case in the new version.

the process blocked in blob storage step, with this error : "dump core: empty bucket name"

Thank you for your answers

@jt-dd
Copy link
Contributor

jt-dd commented Sep 18, 2024

For the GRPC server issue can you post:

  • docker ps output
  • docker logs kubehound-release-grpc-1 output (just make sure you anonymise the bucket name)

For the bucket, I am going to push a fix for it.

@theoberthier
Copy link
Author

For sure :

$ docker ps
ghcr.io/datadog/kubehound-binary:latest   "/kubehound serve"       2 days ago   Up 41 seconds           0.0.0.0:9000->9000/tcp                                                         kubehound-release-grpc-1
$ docker logs kubehound-release-grpc-1

time="09:14:41" level=fatal msg="factory config creation: graph database client creation: E0104: no successful connections could be made: Forbidden"
time="09:14:42" level=info msg="Loading application configuration from default embedded"
time="09:14:43" level=warning msg="No local config file was found (kubehound.yaml)"
time="09:14:43" level=info msg="Using /kubehound for default config\n"
time="09:14:43" level=info msg="Initializing application telemetry"
time="09:14:43" level=warning msg="Telemetry disabled via configuration"
time="09:14:43" level=info msg="Starting KubeHound Distributed Ingestor Service"
time="09:14:43" level=info msg="Initializing providers (graph, cache, store)"
time="09:14:43" level=info msg="Loading cache provider"
time="09:14:43" level=info msg="Loaded memcache cache provider"
time="09:14:43" level=info msg="Loading store database provider"
time="09:14:43" level=info msg="Loaded mongodb store provider"
time="09:14:43" level=info msg="Loading graph database provider"
2024/09/19 09:14:43 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:14:43 Error creating new connection for connection pool: Forbidden
2024/09/19 09:14:43 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:14:43" level=warning msg="Retrying to connect [1/5]"
2024/09/19 09:14:53 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:14:53 Error creating new connection for connection pool: Forbidden
2024/09/19 09:14:53 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:14:53" level=warning msg="Retrying to connect [2/5]"
2024/09/19 09:15:03 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:15:03 Error creating new connection for connection pool: Forbidden
2024/09/19 09:15:03 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:15:03" level=warning msg="Retrying to connect [3/5]"
2024/09/19 09:15:13 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:15:13 Error creating new connection for connection pool: Forbidden
2024/09/19 09:15:13 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:15:13" level=warning msg="Retrying to connect [4/5]"
2024/09/19 09:15:23 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:15:23 Error creating new connection for connection pool: Forbidden
2024/09/19 09:15:23 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:15:23" level=warning msg="Retrying to connect [5/5]"
2024/09/19 09:15:33 Failed to instantiate the new connection; setting connection state to closed.
2024/09/19 09:15:33 Error creating new connection for connection pool: Forbidden
2024/09/19 09:15:33 Error occurred during operation NewDriverRemoteConnection: 'E0104: no successful connections could be made: Forbidden'
time="09:15:33" level=fatal msg="factory config creation: graph database client creation: E0104: no successful connections could be made: Forbidden"

Here are the main logs that keep coming back

@jt-dd
Copy link
Contributor

jt-dd commented Sep 19, 2024

Did you pull the latest version using docker compose -f docker-compose.yaml -f docker-compose.release.yaml -f docker-compose.release.ingestor.yaml pull ?

Can you post the image sha of your image ?

  • docker inspect kubehound-release-grpc-1 --format='{{.Image}}'

@theoberthier
Copy link
Author

theoberthier commented Sep 19, 2024
edited
Loading

  • docker inspect : sha256:d53db372b4202989fab80f00b43abeba21ce765b4d4fb2c9195cc873a9286b95

I pulled new images and i restarted, i have same message in new release when i launch kubehound dump remote :

  • bucket name are empty

in v1.4.1 binary with the same env, when i dump remote the connection to GRPC server is refused with new images.

Minosity-VR added a commit that referenced this issue Sep 20, 2024
@Minosity-VR
Merge pull request #274 from DataDog/jt-dd/fix-v1.5.2
ac9a270 
Fix GH issues #272 #271 #257
@jt-dd
Copy link
Contributor

jt-dd commented Oct 1, 2024

How do you set your bucket name ? If you set it from the config file kubehound.yaml, which key is setting it up ?

It should bucket_url like that:

# Ingestor configuration (for KHaaS)
ingestor:
  blob:
    # (i.e.: s3://<your-bucket>)
    bucket_url: ""

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jt-dd jt-dd

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@theoberthier @jt-dd