chore(k8s-audit-only): add audit sink

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
falcosecurity · May 27, 2020 · e8702e0 · e8702e0
1 parent fb8b09d
commit e8702e0
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/deploy/kubernetes/k8s-audit-only/.gitignore b/deploy/kubernetes/k8s-audit-only/.gitignore
@@ -0,0 +1,2 @@
+falco-config
+audit-sink.yaml
diff --git a/deploy/kubernetes/k8s-audit-only/README.md b/deploy/kubernetes/k8s-audit-only/README.md
@@ -50,3 +50,15 @@ Now that we have the requirements for our Deployment in place, we can create our
 $ kubectl create -f ./deployment.yaml
 daemonset "falco" created
 ```
+
+### Deploy AuditSink objects
+
+[audit-sink.yaml.in](./audit-sink.yaml.in), in this directory, is a template audit sink configuration that defines the dynamic audit policy and webhook to route Kubernetes audit events to Falco.
+
+Run the following to fill in the template file with the `ClusterIP` IP address you created with the `falco-service` service above. Although services like `falco-service.default.svc.cluster.local` can not be resolved from the kube-apiserver, the ClusterIPs associated with those services are routable.
+
+```
+FALCO_SERVICE_CLUSTERIP=$(kubectl get service falco-k8s-audit -o=jsonpath={.spec.clusterIP}) envsubst < audit-sink.yaml.in > audit-sink.yaml
+```
+
+> The example above is not intended to be used in production. To register the webhook using a service reference please see the [Kubernetes Documentation](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#service-reference) and enable SSL for `webserver` feature in `falco.yaml`.
diff --git a/deploy/kubernetes/k8s-audit-only/audit-sink.yaml.in b/deploy/kubernetes/k8s-audit-only/audit-sink.yaml.in
@@ -0,0 +1,16 @@
+apiVersion: auditregistration.k8s.io/v1alpha1
+kind: AuditSink
+metadata:
+  name: falco-audit-sink
+spec:
+  policy:
+    level: RequestResponse
+    stages:
+      - ResponseComplete
+      - ResponseStarted
+  webhook:
+    throttle:
+      qps: 10
+      burst: 15
+    clientConfig:
+      url: "http://$FALCO_SERVICE_CLUSTERIP:8765/k8s-audit"
diff --git a/deploy/kubernetes/k8s-audit-only/falco.yaml b/deploy/kubernetes/k8s-audit-only/falco.yaml
@@ -139,7 +139,7 @@ stdout_output:
 webserver:
   enabled: true
   listen_port: 8765
-  k8s_audit_endpoint: /k8s_audit
+  k8s_audit_endpoint: /k8s-audit
   ssl_enabled: false
   ssl_certificate: /etc/falco/falco.pem