I want to capture all system calls from a k8 pod.
Sysdig supports the -k flag for specifying a url to the kubernetes kubectl api. I exposed the kubectl api using the kubectl proxy command below
kubectl proxy --port=8080 &
I want to filter system calls for a specific k8 pod called 'mypod'
sudo sysdig -k http://127.0.0.1:8080 k8s.pod.name=mypod
No events are captured using this filter. It is also worth noting that I am running this sysdig command from the master node, and that 'mypod' is running on a different worker machine that is a part of the k8 cluster.
what am I missing?
Sysdig OSS should run on the same machine where the process/container you want to monitor is.
If you try to filter syscalls that happen in another node it'll be impossible, since a process never calls another machine's kernel.
Sysdig OSS, like Falco, works at the kernel level to monitor syscalls. If you were trying to monitor K8S Audit events that'd be different since they are sent to the plugin socket.