generated from falcosecurity/template-repository
-
Notifications
You must be signed in to change notification settings - Fork 284
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[stable/falco] Enable support of K8s audit events in Falco (#15668)
* [stable/falco] Allow audit logging with Falco You can enable it on minikube with the following command: `helm install --name falco --set falco.webserver.enabled=true --set falco.webserver.clusterIP=10.96.0.100 stable/falco` The main problem is that minikube doesn't resolve the service from apiserver, so that you need to specify the clusterIP. https://github.com/falcosecurity/falco/blob/dev/examples/k8s_audit_config/README.md Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Apiserver don't resolve internal services That would be a layering violation so we are going to rely only con clusterIP and that parameter is required if we enable the webserver features. https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Document values and upgrade chart version This is an 1.0.0 version, which means that Helm chart is feature complete in terms of we provide same functionality that daemonset provides. It's time to celebrate! Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Add a section in README for explaining K8s audit event support Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Write the README in a more actionable way Telling all the history about the Falco implementation of Audit Event rules is a bit useless here. It can be found on the awesome Falco documentation. Here I would like to focus a bit more on chart users and show them how to enable Falco with the audit events feature. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Add instructions for choosing the clusterIP address And another option for not recognized resource is that we were using a K8s version previous to v1.13 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
- Loading branch information
1 parent
0773e4a
commit 8998e00
Showing
9 changed files
with
625 additions
and
67 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
apiVersion: v1 | ||
name: falco | ||
version: 0.9.1 | ||
version: 1.0.0 | ||
appVersion: 0.15.3 | ||
description: Falco | ||
keywords: | ||
|
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{{- if .Values.falco.webserver.enabled }} | ||
kind: Service | ||
apiVersion: v1 | ||
metadata: | ||
name: {{ template "falco.fullname" .}}-audit-service | ||
labels: | ||
app: {{ template "falco.fullname" . }} | ||
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
spec: | ||
selector: | ||
app: {{ template "falco.fullname" .}} | ||
clusterIP: {{ .Values.falco.webserver.clusterIP }} | ||
ports: | ||
- protocol: TCP | ||
port: {{ .Values.falco.webserver.listenPort }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{{- if .Values.falco.webserver.enabled }} | ||
apiVersion: auditregistration.k8s.io/v1alpha1 | ||
kind: AuditSink | ||
metadata: | ||
name: {{ template "falco.fullname" .}}-audit-sink | ||
spec: | ||
policy: | ||
level: RequestResponse | ||
stages: | ||
- ResponseComplete | ||
- ResponseStarted | ||
webhook: | ||
throttle: | ||
qps: 10 | ||
burst: 15 | ||
clientConfig: | ||
url: http://{{ required "A valid .Values.falco.webserver.clusterIP entry required" .Values.falco.webserver.clusterIP }}:{{ .Values.falco.webserver.listenPort }}{{ .Values.falco.webserver.k8sAuditEndpoint }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters