Openshift 4.2 instructions

Openshift 4.2 is actually pretty easy, although you have to deploy a helper log forwarder that runs on the api server, reads the existing audit log, and forwards to the agent. Requires agent 0.95.0 or some agent that has falcosecurity/falco#967.
draios · Dec 10, 2019 · 0e62546 · 0e62546
1 parent 9388561
commit 0e62546
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 0 deletions.
diff --git a/k8s_audit_config/README.md b/k8s_audit_config/README.md
@@ -95,6 +95,14 @@ Minishift 3.11 also supports webhook backends, but the way minishift launches th
 
 ## Openshift 4.2
 
+Openshift 4.2 by default enables K8s api server logs and makes them available on each master node at the path `/var/log/kube-apiserver/audit.log`. However, the api server is not configured with the ability to create a webhook or dynamic backend. Rather than provide instructions to enable either of those backends, we provide a audit-log-forwarder daemonset that reads the audit log and forwards the contents to the sysdig agent service. This log forwarder is only compatible with agents >= 0.95.0.
+
+1. Feploy the audit-log-forwarder daemonset using the provided [audit-log-forwarder.yaml](./audit-log-forwarder.yaml) file, via the following. This should be created in the same namespace as the agent (usually `sysdig-agent`). Once created, the forwarder will monitor the audit logs on each master, routing K8s audit events to the agent's service.
+
+```
+kubectl apply -f audit-log-forwarder.yaml -n sysdig-agent
+```
+
 ## Kops, using K8s >= 1.11/1.12
 
 When using K8s 1.11/1.12, only webhook backends are supported.

diff --git a/k8s_audit_config/audit-log-forwarder.yaml b/k8s_audit_config/audit-log-forwarder.yaml
@@ -46,6 +46,8 @@ spec:
       - name: audit-log-forwarder-config
         configMap:
           name: sysdig-audit-log-forwarder
+      nodeSelector:
+        node-role.kubernetes.io/master: ""
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master

diff --git a/k8s_audit_config/enable-k8s-audit.sh b/k8s_audit_config/enable-k8s-audit.sh
@@ -28,6 +28,10 @@ elif [ "$VARIANT" == "openshift-3.11" ]; then
 elif [[ "$VARIANT" == kops* ]]; then
     SSH_CMD="ssh -i ~/.ssh/id_rsa admin@$APISERVER"
     COPY_CMD="scp -i ~/.ssh/id_rsa \$SOURCEFILE admin@$APISERVER:\$DESTFILE"
+elif [[ "$VARIANT" == "openshift-4.2" ]]; then
+    echo "***Creating audit log forwarder daemonset..."
+    kubectl apply -f ./audit-log-forwarder.yaml -n sysdig-agent
+    exit 0
 else
     echo "Unknown K8s Distribution+version $VARIANT. Exiting."
     exit 1