> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rad.security/llms.txt
> Use this file to discover all available pages before exploring further.

# rad-watch

> RAD Watch plugin for monitoring Kubernetes API events and changes

## Overview

The rad-watch plugin monitors Kubernetes API events and resource changes in real-time, providing continuous visibility into cluster activities and security-relevant events.

## How It Works

The rad-watch plugin operates as a Kubernetes controller that:

* **Event Monitoring**: Watches Kubernetes API events across all namespaces
* **Change Detection**: Detects and tracks resource modifications, creations, and deletions
* **Security Analysis**: Analyzes events for security implications and policy violations
* **Real-Time Reporting**: Streams security events to RAD Security for immediate analysis

## Monitored Events

The plugin monitors the following types of events:

* **Resource Lifecycle**: Creation, modification, and deletion of Kubernetes resources
* **RBAC Changes**: Changes to roles, role bindings, and permissions
* **Network Changes**: Modifications to network policies and service configurations
* **Security Context Changes**: Updates to pod security contexts and policies
* **Secret Access**: Monitoring of secret access patterns and usage

## Configuration

The RAD Watch component has configurable parameters:

| Environment Variable   | Default Value           | Description                            |
| ---------------------- | ----------------------- | -------------------------------------- |
| WATCH\_INTERVAL        | 1m                      | Interval between watch cycles          |
| EVENT\_BUFFER\_SIZE    | 1000                    | Size of event buffer for processing    |
| ENABLE\_RBAC\_WATCH    | true                    | Enable RBAC event monitoring           |
| ENABLE\_NETWORK\_WATCH | true                    | Enable network policy event monitoring |
| ENABLE\_SECRET\_WATCH  | true                    | Enable secret access monitoring        |
| FILTER\_NAMESPACES     | kube-system,kube-public | Namespaces to exclude from monitoring  |

## Event Filtering

The plugin supports configurable event filtering:

```yaml theme={null}
watch:
  config:
    FILTER_NAMESPACES: |
      kube-system,
      kube-public,
      kube-node-lease
    ENABLE_RBAC_WATCH: true
    ENABLE_NETWORK_WATCH: true
```

## Performance Considerations

* **Event Batching**: Events are batched to optimize performance
* **Selective Monitoring**: Can be configured to monitor specific resource types
* **Namespace Filtering**: Excludes system namespaces by default
* **Rate Limiting**: Implements rate limiting to prevent API overload

## Security Features

* **Real-Time Detection**: Immediate detection of security-relevant events
* **Anomaly Detection**: Identifies unusual patterns in resource access
* **Compliance Monitoring**: Tracks compliance with security policies
* **Audit Trail**: Maintains detailed audit logs of all monitored events

## Integration

The rad-watch plugin integrates with other RAD Security components:

* **rad-guard**: Provides event context for policy enforcement
* **rad-runtime**: Correlates API events with runtime activities
* **RAD Security API**: Streams events for centralized analysis

For additional configuration options, see the [chart values file](https://artifacthub.io/packages/helm/rad/rad-plugins).