(WIP) K8s Deployment to run event generator w k8s_audit

Add a deployment yaml that allows running the event generator in a k8s
cluster:

 - Change the event generator to create/delete objects in a namespace
   "falco-eg-sandbox" instead of "falco-event-generator". That way you
   separate the generator from the resources it modifies (mostly, the
   exception being the rolebinding).
 - Create a serviceaccount, clusterrole, and rolebinding that allows the
   event generator to create/list/delete objects in the falco-eg-sandbox
   namespace. The list of permissions is fairly broad mostly so the
   event generator can delete all resources without explicitly naming
   them. The binding does limit permissions to the falco-eg-sandbox
   namespace, though.

A one-line way to run this would be:

kubectl create namespace falco-event-generator && \
  kubectl create namespace falco-eg-sandbox && \
  kubectl apply -f event-generator-role-rolebinding-serviceaccount.yaml && \
  kubectl apply -f event-generator-k8saudit-deployment.yaml

I haven't actually pushed a new docker image to replace the current
event generator yet--the deployment yaml refers to a placeholder
falcosecurity/falco-event-generator:eg-sandbox image. Once the review is
done I'll rebase this to change the image to latest before merging.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

docker/event-generator/event-generator-k8saudit-deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: falco-event-generator-k8saudit
+  labels:
+    app: falco-event-generator-k8saudit
+  namespace: falco-event-generator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: falco-event-generator-k8saudit
+  template:
+    metadata:
+      labels:
+        app: falco-event-generator-k8saudit
+    spec:
+      serviceAccount: falco-event-generator
+      containers:
+      - name: falco-event-generator
+        image: falcosecurity/falco-event-generator:eg-sandbox
+        imagePullPolicy: Always
+        args: ["k8s_audit"]

docker/event-generator/event-generator-role-rolebinding-serviceaccount.yaml

@@ -0,0 +1,71 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: falco-event-generator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - services
+  - serviceaccounts
+  - pods
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - apps
+  - extensions
+  resources:
+  - deployments
+  verbs:
+  - list
+  - get
+  - create
+  - delete
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - create
+  - delete
+# These are only so the event generator can create roles that have these properties.
+# It will result in a falco alert for the rules "ClusterRole With Wildcard Created", "ClusterRole With Pod Exec Created"
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - '*'
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: falco-event-generator
+  namespace: falco-eg-sandbox
+subjects:
+  - kind: ServiceAccount
+    name: falco-event-generator
+    namespace: falco-event-generator
+roleRef:
+  kind: ClusterRole
+  name: falco-event-generator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-event-generator
+  namespace: falco-event-generator

docker/event-generator/k8s_event_generator.sh

@@ -17,15 +17,18 @@ kubectl version --short
 
 while true; do
 
-    RET=$(kubectl get namespaces --output=name | grep falco-event-generator || true)
-
-    if [[ "$RET" == *falco-event-generator* ]]; then
-	echo "***Deleting existing falco-event-generator namespace..."
-	kubectl delete namespace falco-event-generator
-    fi
-
-    echo "***Creating falco-event-generator namespace..."
-    kubectl create namespace falco-event-generator
+    # Delete all resources in the falco-eg-sandbox namespace
+    echo "***Deleting all resources in falco-eg-sandbox namespace..."
+    kubectl delete --all configmaps -n falco-eg-sandbox
+    kubectl delete --all deployments -n falco-eg-sandbox
+    kubectl delete --all services -n falco-eg-sandbox
+    kubectl delete --all roles -n falco-eg-sandbox
+    kubectl delete --all serviceaccounts -n falco-eg-sandbox
+
+    # We don't delete all rolebindings in the falco-eg-sandbox
+    # namespace, as that would also delete the rolebinding for the
+    # event generator itself.
+    kubectl delete rolebinding vanilla-role-binding -n falco-eg-sandbox || true
 
     for file in yaml/*.yaml; do
 
@@ -48,7 +51,7 @@ while true; do
 	    RULES=$(echo "$RULES" | tr '-' ' '| tr '.' '/' | sed -e 's/ *//' | sed  -e 's/,$//')
 
 	    echo "***$MESSAGES (Rule(s) $RULES)..."
-	    kubectl apply -f $file
+	    kubectl apply -f $file -n falco-eg-sandbox
 	    sleep 2
 	fi
     done

docker/event-generator/yaml/configmap-private-creds.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: private-creds-configmap
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: private-creds-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/disallowed-pod-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: disallowed-pod-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: disallowed-pod-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/hostnetwork-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: hostnetwork-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: hostnetwork-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/nodeport-service.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: nodeport-service
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: nodeport-service
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/privileged-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: privileged-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: privileged-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-pod-exec.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: pod-exec-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: pod-exec-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-wildcard-resources.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: wildcard-resources-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: wildcard-resources-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/role-write-privileges.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: write-privileges-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: write-privileges-role
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/sensitive-mount-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: sensitive-mount-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: sensitive-mount-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-configmap.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: vanilla-configmap
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-configmap
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-deployment.yaml

@@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: vanilla-deployment
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-deployment
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-role-rolebinding-serviceaccount.yaml

@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: vanilla-role
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role
     app.kubernetes.io/part-of: falco-event-generator
@@ -20,7 +19,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: vanilla-role-binding
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-role-binding
     app.kubernetes.io/part-of: falco-event-generator
@@ -38,7 +36,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: vanilla-serviceaccount
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-serviceaccount
     app.kubernetes.io/part-of: falco-event-generator

docker/event-generator/yaml/vanilla-service.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
   name: vanilla-service
-  namespace: falco-event-generator
   labels:
     app.kubernetes.io/name: vanilla-service
     app.kubernetes.io/part-of: falco-event-generator