WIP on audit log forwarder, using fluent-bit

It turns out that openshift 4 does automatically make audit logs available on the master node as a file by default, but it doesn't enable dynamic audit sinks. Rather than change the api server config, which is risky, instead deploy a helper daemonset that can read the api server logs and send the contents to the agent's audit webhook. We can probably used this for other k8s distributions as well. This relies on a pending falco change falcosecurity/falco#967.
draios · Dec 10, 2019 · d69f3e5 · d69f3e5
1 parent 34148bc
commit d69f3e5
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 1 deletion.
diff --git a/k8s_audit_config/README.md b/k8s_audit_config/README.md
@@ -10,7 +10,8 @@ In all cases, you should first install a Sysdig Agent to your cluster, following
 These instructions cover the following K8s distributions:
 
 * Openshift: 3.11, 4.2
-* Minishift: When using openshift 3.11, 4.2
+* Minishift: When using openshift 3.11
+* Code Ready Containers: When using openshift 4.2
 * GKE
 * Kops
 * EKS
@@ -92,6 +93,8 @@ Minishift 3.11 also supports webhook backends, but the way minishift launches th
     # minishift openshift restart
     ```
 
+## Openshift 4.2
+
 ## Kops, using K8s >= 1.11/1.12
 
 When using K8s 1.11/1.12, only webhook backends are supported.

diff --git a/k8s_audit_config/audit-log-forwarder.yaml b/k8s_audit_config/audit-log-forwarder.yaml
@@ -0,0 +1,77 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sysdig-audit-log-forwarder
+data:
+  fluent.conf: |
+    [INPUT]
+      Name tail
+      Path /host/var/log/kube-apiserver/audit.log
+      Parser k8s_audit
+
+    [OUTPUT]
+      Name http
+      Host sysdig-agent.sysdig-agent.svc.cluster.local
+      Port 7765
+      URI /k8s_audit
+      Format json
+  parsers.conf: |
+    [PARSER]
+      Name k8s_audit
+      Format      json
+      Time_Key    stageTimestamp
+      Time_Format %Y-%m-%dT%H:%M:%S.%L
+      Time_Keep   On
+---
+apiVersion: extensions/v1beta1
+kind: DaemonSet
+metadata:
+  name: sysdig-audit-log-forwarder
+  labels:
+    app: sysdig-audit-log-forwarder
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: sysdig-agent
+    spec:
+      volumes:
+      - name: kube-apiserver-audit-log
+        hostPath:
+          path: /var/log/kube-apiserver/audit.log
+          type: File
+      - name: audit-log-forwarder-config
+        configMap:
+          name: sysdig-audit-log-forwarder
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+      serviceAccount: sysdig-agent
+      containers:
+      - name: fluent-bit
+        image: fluent/fluent-bit:1.3-debug
+        imagePullPolicy: IfNotPresent
+        securityContext:
+          privileged: true
+        command:
+          - /fluent-bit/bin/fluent-bit
+          - --config
+          - /config/fluent.conf
+          - --parser
+          - /config/parsers.conf
+        resources:
+          requests:
+            cpu: 500m
+            memory: 100Mi
+          limits:
+            cpu: 2
+            memory: 500Mi
+        volumeMounts:
+        - mountPath: /host/var/log/kube-apiserver/audit.log
+          name: kube-apiserver-audit-log
+          readOnly: true
+        - mountPath: /config
+          name: audit-log-forwarder-config