[stable/falco] Enable support of K8s audit events in Falco (#15668)

* [stable/falco] Allow audit logging with Falco

You can enable it on minikube with the following command:

`helm install --name falco --set falco.webserver.enabled=true --set
falco.webserver.clusterIP=10.96.0.100 stable/falco`

The main problem is that minikube doesn't resolve the service from apiserver,
so that you need to specify the clusterIP.

https://github.com/falcosecurity/falco/blob/dev/examples/k8s_audit_config/README.md

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

* [stable/falco] Apiserver don't resolve internal services

That would be a layering violation so we are going to rely only con
clusterIP and that parameter is required if we enable the webserver
features.

https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

* [stable/falco] Document values and upgrade chart version

This is an 1.0.0 version, which means that Helm chart is feature
complete in terms of we provide same functionality that daemonset
provides.

It's time to celebrate!

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

* [stable/falco] Add a section in README for explaining K8s audit event support

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

* [stable/falco] Write the README in a more actionable way

Telling all the history about the Falco implementation of Audit Event
rules is a bit useless here. It can be found on the awesome Falco
documentation.

Here I would like to focus a bit more on chart users and show them how
to enable Falco with the audit events feature.

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

* [stable/falco] Add instructions for choosing the clusterIP address

And another option for not recognized resource is that we were using a
K8s version previous to v1.13

Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>

CHANGELOG.md

@@ -3,6 +3,12 @@
 This file documents all notable changes to Sysdig Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v1.0.0
+
+### Major Changes
+
+* Add support for K8s audit logging
+
 ## v0.9.1
 
 ### Minor Changes

Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: falco
-version: 0.9.1
+version: 1.0.0
 appVersion: 0.15.3
 description: Falco
 keywords:

templates/auditservice.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.falco.webserver.enabled }}
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ template "falco.fullname" .}}-audit-service
+  labels:
+    app: {{ template "falco.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  selector:
+    app: {{ template "falco.fullname" .}}
+  clusterIP: {{ .Values.falco.webserver.clusterIP }}
+  ports:
+  - protocol: TCP
+    port: {{ .Values.falco.webserver.listenPort }}
+{{- end }}

templates/auditsink.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.falco.webserver.enabled }}
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: {{ template "falco.fullname" .}}-audit-sink
+spec:
+  policy:
+    level: RequestResponse
+    stages:
+      - ResponseComplete
+      - ResponseStarted
+  webhook:
+    throttle:
+      qps: 10
+      burst: 15
+    clientConfig:
+      url: http://{{ required "A valid .Values.falco.webserver.clusterIP entry required" .Values.falco.webserver.clusterIP }}:{{ .Values.falco.webserver.listenPort }}{{ .Values.falco.webserver.k8sAuditEndpoint }}
+{{- end }}

templates/configmap.yaml

@@ -133,6 +133,24 @@ data:
     stdout_output:
       enabled: {{ .Values.falco.stdoutOutput.enabled }}
 
+    # Falco contains an embedded webserver that can be used to accept K8s
+    # Audit Events. These config options control the behavior of that
+    # webserver. (By default, the webserver is disabled).
+    #
+    # The ssl_certificate is a combination SSL Certificate and corresponding
+    # key contained in a single file. You can generate a key/cert as follows:
+    #
+    # $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+    # $ cat certificate.pem key.pem > falco.pem
+    # $ sudo cp falco.pem /etc/falco/falco.pem
+
+    webserver:
+      enabled: {{ .Values.falco.webserver.enabled }}
+      listen_port: {{ .Values.falco.webserver.listenPort }}
+      k8s_audit_endpoint: {{ .Values.falco.webserver.k8sAuditEndpoint }}
+      ssl_enabled: false
+      ssl_certificate: /etc/falco/falco.pem
+
     # Possible additional things you might want to do with program output:
     #   - send to a slack webhook:
     #         program: "\"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX\""

templates/daemonset.yaml

@@ -214,6 +214,10 @@ spec:
                 path: falco_rules.yaml
               - key: falco_rules.local.yaml
                 path: falco_rules.local.yaml
+              {{- if .Values.falco.webserver.enabled }}
+              - key: k8s_audit_rules.yaml
+                path: k8s_audit_rules.yaml
+              {{- end }}
         {{- if .Values.customRules }}
         - name: rules-volume
           configMap:

values.yaml

@@ -80,6 +80,7 @@ falco:
   rulesFile:
     - /etc/falco/falco_rules.yaml
     - /etc/falco/falco_rules.local.yaml
+    - /etc/falco/k8s_audit_rules.yaml
     - /etc/falco/rules.d
 
   # If true, the times displayed in log messages and output messages
@@ -170,6 +171,15 @@ falco:
   stdoutOutput:
     enabled: true
 
+  # Falco contains an embedded webserver that can be used to accept K8s
+  # Audit Events. These config options control the behavior of that
+  # webserver. (By default, the webserver is disabled).
+  webserver:
+    enabled: false
+    listenPort: 8765
+    k8sAuditEndpoint: /k8s-audit
+    clusterIP:
+
   # Possible additional things you might want to do with program output:
   #   - send to a slack webhook:
   #     program: "\"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX\""