Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy Refund & Cancellation Acceptable Use Policy FAQ
Monitoring Kubernetes

Security

This page covers what Collectord runs as, what it touches on the host and the cluster, and what you can lock down. If you’re walking through a security review, this is the short version of the answers.

Collector

Image

Starting from version 5.2, we build our image from scratch - a 0-size base. The Collectord image ships only what’s required to run: the collectord binary, a set of root certificates, and a timezone database. The binary itself is statically compiled in Go with no dynamic runtime, so it can only do what we programmed it to do - there’s no shell, no package manager, no interpreter to pivot from.

Container configuration

To collect logs and metrics from the cluster, Collectord needs access to the host filesystem - that’s why the container requires privileged access. Collectord treats the host as read-only. The only thing it writes back is acknowledgement state in the form of a small database, which by default lives under /var/lib/collectorforkubernetes. If you configure a volume database, it goes in the volume root instead.

If you skip the volume database, you can drop the host filesystem to read-only - but you’ll still need write access to Collectord’s primary database directory (the data folder).

Collectord also reads from the API Server. We scope that access with RBAC so it only has the read permissions it needs, nothing more.

Using secrets to manage configurations

For storing the HEC token and license key as Kubernetes Secrets rather than plain ConfigMap values, follow these instructions.

Internet access

The default license requires internet access so license clients can verify against our license server. If your environment doesn’t allow outbound traffic, we can issue a license that doesn’t require verification - reach out and we’ll set you up.

Collectord also forwards anonymous telemetry to our license server. You can turn that off in the configuration.

Connection to Splunk HTTP Event Collector

We recommend SSL for the connection to Splunk HEC - see the Splunk output guide for how to configure a secure SSL connection between Collectord and HEC.

FIPS 140 compliance

Available since Collectord version 26.04

For environments under FedRAMP, FIPS 140-3, or other federal/finance/healthcare compliance regimes, Collectord ships a FIPS-validated container image. The FIPS build is the same Collectord agent - it differs only in how cryptographic operations are routed: instead of Go’s standard crypto packages, the binary calls into the FIPS-validated module from Go’s crypto/fips140 (Go 1.24+).

Pulling the FIPS image

The FIPS images carry a -fips suffix on the tag, alongside the usual architecture suffix. Both amd64 and arm64 variants are published:

bash
1docker pull outcoldsolutions/collectorforkubernetes:26.04.3-fips-amd64
2docker pull outcoldsolutions/collectorforkubernetes:26.04.3-fips-arm64

To switch your DaemonSets and addon Deployment to FIPS, change the image: tag in the manifest from :26.04.3-amd64 to :26.04.3-fips-amd64 (or the arm64 equivalent). No other configuration changes are required.

FIPS-enabled vs FIPS-enforced

Collectord supports two FIPS modes, controlled by the standard Go runtime variable GODEBUG:

  • FIPS-enabled (default for the FIPS image) - the FIPS-validated module is loaded and used for cryptography, but the Go runtime will still fall back to non-FIPS algorithms if a caller explicitly requests one. Suitable for most compliance regimes.
  • FIPS-enforced - set GODEBUG=fips140=only on the container. Any code path that would use a non-FIPS algorithm panics instead of falling back. Required for the strictest compliance interpretations.

To run the agent FIPS-enforced, add the env var to the DaemonSet (and the addon Deployment) container spec:

yaml
1env:
2  - name: GODEBUG
3    value: "fips140=only"

Verifying the mode is active

At startup, Collectord logs whether FIPS mode is enabled or enforced and which validated module version is in use. To check a running pod:

bash
1kubectl logs -n collectorforkubernetes <pod> | grep -i fips

You should see a line like FIPS 140 mode enabled (v1.0.0) or FIPS 140 mode enforced (v1.0.0).

The collectord verify and collectord diag commands also report the FIPS state in their output - useful for support bundles and audit evidence:

bash
1kubectl exec -n collectorforkubernetes <pod> -- /collectord verify | grep -i fips

What the FIPS image does not change

The FIPS image is about cryptographic algorithms only. It doesn’t alter Collectord’s RBAC, network behavior, or feature set. Annotations, configuration files, and dashboards work identically. Performance is within a few percent of the non-FIPS build.

If you need an air-gapped license (no outbound to our license server) for a FIPS-restricted environment, reach out - we issue them on request.