Skip to main content

rad-watch

Overview

The rad-watch plugin monitors Kubernetes API events and resource changes in real-time, providing continuous visibility into cluster activities and security-relevant events.

How It Works

The rad-watch plugin operates as a Kubernetes controller that:
  • Event Monitoring: Watches Kubernetes API events across all namespaces
  • Change Detection: Detects and tracks resource modifications, creations, and deletions
  • Security Analysis: Analyzes events for security implications and policy violations
  • Real-Time Reporting: Streams security events to RAD Security for immediate analysis

Monitored Events

The plugin monitors the following types of events:
  • Resource Lifecycle: Creation, modification, and deletion of Kubernetes resources
  • RBAC Changes: Changes to roles, role bindings, and permissions
  • Network Changes: Modifications to network policies and service configurations
  • Security Context Changes: Updates to pod security contexts and policies
  • Secret Access: Monitoring of secret access patterns and usage

Configuration

The RAD Watch component has configurable parameters:
Environment VariableDefault ValueDescription
WATCH_INTERVAL1mInterval between watch cycles
EVENT_BUFFER_SIZE1000Size of event buffer for processing
ENABLE_RBAC_WATCHtrueEnable RBAC event monitoring
ENABLE_NETWORK_WATCHtrueEnable network policy event monitoring
ENABLE_SECRET_WATCHtrueEnable secret access monitoring
FILTER_NAMESPACESkube-system,kube-publicNamespaces to exclude from monitoring

Event Filtering

The plugin supports configurable event filtering: 
watch:
  config:
    FILTER_NAMESPACES: |
      kube-system,
      kube-public,
      kube-node-lease
    ENABLE_RBAC_WATCH: true
    ENABLE_NETWORK_WATCH: true

Performance Considerations

  • Event Batching: Events are batched to optimize performance
  • Selective Monitoring: Can be configured to monitor specific resource types
  • Namespace Filtering: Excludes system namespaces by default
  • Rate Limiting: Implements rate limiting to prevent API overload

Security Features

  • Real-Time Detection: Immediate detection of security-relevant events
  • Anomaly Detection: Identifies unusual patterns in resource access
  • Compliance Monitoring: Tracks compliance with security policies
  • Audit Trail: Maintains detailed audit logs of all monitored events

Integration

The rad-watch plugin integrates with other RAD Security components:
  • rad-guard: Provides event context for policy enforcement
  • rad-runtime: Correlates API events with runtime activities
  • RAD Security API: Streams events for centralized analysis
For additional configuration options, see the chart values file.