diff --git a/docs/cli/README.md b/docs/cli/README.md index b0eeea18b..68adeea75 100644 --- a/docs/cli/README.md +++ b/docs/cli/README.md @@ -50,32 +50,19 @@ Find more information at https://kolide.com/fleet ### Workflow ```bash -# Make sure you're currently using the current server (in this case: staging) -fleetctl config set-context staging +# Make sure you're currently using the current server (in this case: production linux hosts) +fleetctl config set-context production-linux # Edit the config file (or files) for your Fleet instance (or one of them) and apply the file -vim fleet-staging.yml -fleetctl apply -f ./fleet-staging.yml +vim fleet-linux.yml +fleetctl apply -f ./fleet-linux.yml # Commit the changes to an upstream source tree -git add fleet-staging.yml -git commit -m "new changes to staging fleet instance" +git add fleet-linux.yml +git commit -m "new changes to osquery production linux configuration" git push ``` -Alternatively, you can specify the context as a flag for easy use in parallel scripts or instances where you may have many Fleet environments: - -```bash -# Edit your Fleet config file -vim fleet.yml - -# First apply the configuration to your staging environment for testing -fleetctl apply -f ./fleet.yml --context=staging - -# Apply the configuration to both staging and production at the same time -fleetctl apply -f ./fleet.yml --context=staging,production -``` - ## Configuration File Format A Fleet configuration is defined using one or more declarative "messages" in yaml syntax. Each message can live in it's own file or multiple in one file, each separated by `---`. Each file/message contains a few required top-level keys: @@ -108,7 +95,7 @@ All of these files can be concatenated together into [one file](../../examples/c The following file describes configuration options passed to the osquery instance. All other configuration data will be over-written by the application of this file. ```yaml -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryOptions spec: config: @@ -183,13 +170,13 @@ spec: The following file describes the labels which hosts should be automatically grouped into. The label resource should reference the query by name. Both of these resources can be included in the same file as such: ```yaml -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: slack_not_running query: slack_not_running --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1/alpha1 kind: OsqueryQuery spec: name: slack_not_running @@ -207,7 +194,7 @@ spec: For especially long or complex queries, you may want to define one query in one file. Continued edits and applications to this file will update the query as long as the `metadata.name` does not change. If you want to change the name of a query, you must first create a new query with the new name and then delete the query with the old name. Make sure the old query name is not defined in any packs before deleting it or an error will occur. ```yaml -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: docker_processes @@ -223,7 +210,7 @@ spec: To define multiple queries in a file, concatenate multiple `OsqueryQuery` resources together in a single file with `---`. For example, consider a file that you might store at `queries/osquery_monitoring.yml`: ```yaml -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_version @@ -233,21 +220,21 @@ spec: launcher: 0.3.0 osquery: 2.9.0 --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_schedule description: Report performance stats for each file in the query schedule. query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_info description: A heartbeat counter that reports general performance (CPU, memory) and version. query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_events @@ -260,7 +247,7 @@ spec: To define query packs, reference queries defined elsewhere by name. This is why the "name" of a query is so important. You can define many of these packs in many files. ```yaml -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryPack spec: name: osquery_monitoring diff --git a/examples/config-many-files/config.yml b/examples/config-many-files/config.yml index 4dd1feae0..412c3c733 100644 --- a/examples/config-many-files/config.yml +++ b/examples/config-many-files/config.yml @@ -1,5 +1,5 @@ --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryOptions spec: config: diff --git a/examples/config-many-files/labels.yml b/examples/config-many-files/labels.yml index f07aaf8c6..c06b2e7fe 100644 --- a/examples/config-many-files/labels.yml +++ b/examples/config-many-files/labels.yml @@ -1,42 +1,42 @@ --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: all_hosts query: always_true --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: macs query: darwin_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: ubuntu query: ubuntu_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: centos query: centos_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: windows query: windows_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: query: pending_updates platforms: - darwin --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: query: slack_not_running diff --git a/examples/config-many-files/packs/osquery-monitoring.yml b/examples/config-many-files/packs/osquery-monitoring.yml index ebebf4339..52af588a4 100644 --- a/examples/config-many-files/packs/osquery-monitoring.yml +++ b/examples/config-many-files/packs/osquery-monitoring.yml @@ -1,5 +1,5 @@ --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryPack spec: name: osquery_monitoring diff --git a/examples/config-many-files/queries.yml b/examples/config-many-files/queries.yml index 6bf9dd49e..b03f1267d 100644 --- a/examples/config-many-files/queries.yml +++ b/examples/config-many-files/queries.yml @@ -1,5 +1,5 @@ --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_version @@ -9,29 +9,29 @@ spec: launcher: 0.3.0 osquery: 2.9.0 --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_schedule description: Report performance stats for each file in the query schedule. query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_info description: A heartbeat counter that reports general performance (CPU, memory) and version. query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_events description: Report event publisher health and track event counters. query: select name, publisher, type, subscriptions, events, active from osquery_events; -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: docker_processes @@ -43,37 +43,37 @@ spec: - linux - darwin --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: hostname query: select hostname from system_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: uuid query: select uuid from osquery_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: instance_id query: select instance_id from system_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: always_true query: select 1; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: pending_updates query: SELECT value from plist where path = "/Library/Preferences/ManagedInstalls.plist" and key = "PendingUpdateCount" and value > "0"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: slack_not_running @@ -85,25 +85,25 @@ spec: WHERE name LIKE "%Slack%" ); --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: centos_hosts query: select 1 from os_version where platform = "centos"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: ubuntu_hosts query: select 1 from os_version where platform = "ubuntu"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: windows_hosts query: select 1 from os_version where platform = "windows"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: darwin_hosts diff --git a/examples/config-single-file.yml b/examples/config-single-file.yml index 59f183958..c2f73b41b 100644 --- a/examples/config-single-file.yml +++ b/examples/config-single-file.yml @@ -1,5 +1,5 @@ --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryOptions spec: config: @@ -67,49 +67,49 @@ spec: interval: 3600: "SELECT total_seconds AS uptime FROM uptime" --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: all_hosts query: always_true --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: macs query: darwin_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: ubuntu query: ubuntu_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: centos query: centos_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: name: windows query: windows_hosts --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: query: pending_updates platforms: - darwin --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryLabel spec: query: slack_not_running --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryPack spec: name: osquery_monitoring @@ -134,7 +134,7 @@ spec: interval: 600 removed: false --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_version @@ -144,29 +144,29 @@ spec: launcher: 0.3.0 osquery: 2.9.0 --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_schedule description: Report performance stats for each file in the query schedule. query: select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_info description: A heartbeat counter that reports general performance (CPU, memory) and version. query: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid; --- -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: osquery_events description: Report event publisher health and track event counters. query: select name, publisher, type, subscriptions, events, active from osquery_events; -apiVersion: k8s.kolide.com/v1alpha1 +apiVersion: kolide.com/v1alpha1 --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: docker_processes @@ -178,37 +178,37 @@ spec: - linux - darwin --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: hostname query: select hostname from system_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: uuid query: select uuid from osquery_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: instance_id query: select instance_id from system_info; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: always_true query: select 1; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: pending_updates query: SELECT value from plist where path = "/Library/Preferences/ManagedInstalls.plist" and key = "PendingUpdateCount" and value > "0"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: slack_not_running @@ -220,25 +220,25 @@ spec: WHERE name LIKE "%Slack%" ); --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: centos_hosts query: select 1 from os_version where platform = "centos"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: ubuntu_hosts query: select 1 from os_version where platform = "ubuntu"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: windows_hosts query: select 1 from os_version where platform = "windows"; --- -apiVersion: k8s.kolide.com/v1/alpha1 +apiVersion: kolide.com/v1alpha1 kind: OsqueryQuery spec: name: darwin_hosts