Outcold Solutions - Monitoring Kubernetes, OpenShift and Docker in Splunk
Monitoring Docker in Splunk Monitoring Kubernetes in Splunk Monitoring OpenShift in Splunk Monitoring Linux in Splunk Monitoring Windows Containers in Splunk Forwarding Logs to Elasticsearch and OpenSearch Forwarding Logs to QRadar
Documentation Blog Contact Us Pricing Evaluation licenses Partners License Agreement Privacy Policy FAQ
Monitoring Kubernetes

Security

This page covers what Collectord runs as, what it touches on the host and the cluster, and what you can lock down. If you’re walking through a security review, this is the short version of the answers.

Collector

Image

Starting from version 5.2, we build our image from scratch — a 0-size base. The Collectord image ships only what’s required to run: the collectord binary, a set of root certificates, and a timezone database. The binary itself is statically compiled in Go with no dynamic runtime, so it can only do what we programmed it to do — there’s no shell, no package manager, no interpreter to pivot from.

Container configuration

To collect logs and metrics from the cluster, Collectord needs access to the host filesystem — that’s why the container requires privileged access. Collectord treats the host as read-only. The only thing it writes back is acknowledgement state in the form of a small database, which by default lives under /var/lib/collectorforkubernetes. If you configure a volume database, it goes in the volume root instead.

If you skip the volume database, you can drop the host filesystem to read-only — but you’ll still need write access to Collectord’s primary database directory (the data folder).

Collectord also reads from the API Server. We scope that access with RBAC so it only has the read permissions it needs, nothing more.

Using secrets to manage configurations

For storing the HEC token and license key as Kubernetes Secrets rather than plain ConfigMap values, follow these instructions.

Internet access

The default license requires internet access so license clients can verify against our license server. If your environment doesn’t allow outbound traffic, we can issue a license that doesn’t require verification — reach out and we’ll set you up.

Collectord also forwards anonymous telemetry to our license server. You can turn that off in the configuration.

Connection to Splunk HTTP Event Collector

We recommend SSL for the connection to Splunk HEC — see the Splunk output guide for how to configure a secure SSL connection between Collectord and HEC.