-
Notifications
You must be signed in to change notification settings - Fork 893
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(WIP) K8s Deployment to run event generator w k8s_audit
Add a deployment yaml that allows running the event generator in a k8s cluster: - Change the event generator to create/delete objects in a namespace "falco-eg-sandbox" instead of "falco-event-generator". That way you separate the generator from the resources it modifies (mostly, the exception being the rolebinding). - Create a serviceaccount, clusterrole, and rolebinding that allows the event generator to create/list/delete objects in the falco-eg-sandbox namespace. The list of permissions is fairly broad mostly so the event generator can delete all resources without explicitly naming them. The binding does limit permissions to the falco-eg-sandbox namespace, though. A one-line way to run this would be: kubectl create namespace falco-event-generator && \ kubectl create namespace falco-eg-sandbox && \ kubectl apply -f event-generator-role-rolebinding-serviceaccount.yaml && \ kubectl apply -f event-generator-k8saudit-deployment.yaml I haven't actually pushed a new docker image to replace the current event generator yet--the deployment yaml refers to a placeholder falcosecurity/falco-event-generator:eg-sandbox image. Once the review is done I'll rebase this to change the image to latest before merging. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
- Loading branch information
Showing
16 changed files
with
107 additions
and
25 deletions.
There are no files selected for viewing
23 changes: 23 additions & 0 deletions
23
docker/event-generator/event-generator-k8saudit-deployment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: falco-event-generator-k8saudit | ||
labels: | ||
app: falco-event-generator-k8saudit | ||
namespace: falco-event-generator | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: falco-event-generator-k8saudit | ||
template: | ||
metadata: | ||
labels: | ||
app: falco-event-generator-k8saudit | ||
spec: | ||
serviceAccount: falco-event-generator | ||
containers: | ||
- name: falco-event-generator | ||
image: falcosecurity/falco-event-generator:eg-sandbox | ||
imagePullPolicy: Always | ||
args: ["k8s_audit"] |
71 changes: 71 additions & 0 deletions
71
docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: falco-event-generator | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- configmaps | ||
- services | ||
- serviceaccounts | ||
- pods | ||
verbs: | ||
- list | ||
- get | ||
- create | ||
- delete | ||
- apiGroups: | ||
- apps | ||
- extensions | ||
resources: | ||
- deployments | ||
verbs: | ||
- list | ||
- get | ||
- create | ||
- delete | ||
- apiGroups: | ||
- rbac.authorization.k8s.io | ||
resources: | ||
- roles | ||
- rolebindings | ||
verbs: | ||
- get | ||
- list | ||
- create | ||
- delete | ||
# These are only so the event generator can create roles that have these properties. | ||
# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created" | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods/exec | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- '*' | ||
verbs: | ||
- get | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: falco-event-generator | ||
namespace: falco-eg-sandbox | ||
subjects: | ||
- kind: ServiceAccount | ||
name: falco-event-generator | ||
namespace: falco-event-generator | ||
roleRef: | ||
kind: ClusterRole | ||
name: falco-event-generator | ||
apiGroup: rbac.authorization.k8s.io | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: falco-event-generator | ||
namespace: falco-event-generator |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters