Containerd support for host-level visibility #38073
Description
customer-domon: Gong snippet
Problem
We are migrating our container orchestration from Docker to containerd with Kubernetes. Fleet currently provides valuable visibility into Docker environments, allowing us to query for running containers, images, and other details at the host level. However, there is no equivalent support for containerd. This lack of visibility means we are unable to effectively monitor our new containerd environments.
A critical use case for us is security and incident response. If a zero-day vulnerability is discovered in a specific container image, we need the ability to quickly query our entire fleet to identify all running instances of that vulnerable image. Without containerd support, we lose this capability.
What have you tried?
We currently use and benefit from the existing Docker-related tables in osquery/Fleet. This allows us to inventory running images and get a clear picture of our Dockerized environments. However, as we transition to containerd, this existing functionality is no longer sufficient. We are looking for the same level of insight into our modern container infrastructure that we have for Docker. The primary missing piece is a set of tables and features that can provide visibility into containerd from the host.
Potential solutions
The ideal solution would be for Fleet to add support for containerd with full feature parity to the existing Docker support. This would likely involve leveraging the containerd API to expose information about containers, images, and volumes through osquery tables. This would give us a comprehensive inventory of what is running in our environment.
Key information we would want to be able to query includes:
- A list of all containers running on a host.
- The container images being used.
- Mounted volumes.
What is the expected workflow as a result of your proposal?
The end-user experience should be seamless and consistent with the current Docker monitoring workflow. A user should be able to:
- Run a query against their fleet of hosts.
- The query results should return a list of all containers running under
containerdon those hosts. - The results should include details such as the container image, tags, and mounted volumes.
- In a security event, a user could run a targeted query like
SELECT * FROM containerd_images WHERE image_name = 'vulnerable-image:latest';and receive a list of all hosts running that specific image, allowing for rapid response.