Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positives in Azure Kubernetes Service #1177

Closed
AlexDCraig opened this issue May 1, 2020 · 5 comments
Closed

False positives in Azure Kubernetes Service #1177

AlexDCraig opened this issue May 1, 2020 · 5 comments
Labels
kind/bug

Comments

@AlexDCraig
Copy link

AlexDCraig commented May 1, 2020
edited by fntlnz
Loading

Describe the bug

Spinning up Falco on AKS yields this alert:

{
  "output": "16:43:01.393393906: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host container_id=host image=<NA>:<NA>) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host",
  "priority": "Notice",
  "rule": "Change thread namespace",
  "time": "2020-05-01T16:43:01.393393906Z",
  "output_fields": {
    "container.id": "host",
    "container.image.repository": null,
    "container.image.tag": null,
    "evt.time": 1588351381393394000,
    "k8s.ns.name": null,
    "k8s.pod.name": null,
    "proc.cmdline": "<NA>",
    "proc.pname": null,
    "user.name": null
  }
}

How to reproduce it

Install Falco 0.21.0 in a AKS 1.16.7 cluster. Check the daemonset logs.

Expected behaviour

To not fire an alert for this behavior.

Environment

Azure AKS, Kubernetes 1.16.7

  • Falco version:
    0.21.0

  • Installation method:
    Helm

Additional context

This is really similar to this issue: #439
@fntlnz
Copy link
Contributor

fntlnz commented May 2, 2020

@AlexDHoffer can you please update to Falco 0.22.0 and maybe post here the flags you start Falco with? We need to understand why that False positive happens in the first place and the output line is filled with NAs which is a thing we put a lot of effort to solve in 0.22.0 with both Falco and configuration changes.

@AlexDCraig
Copy link
Author

@fntlnz upgrading to 0.22.0 seemed to help.

@stale
Copy link

stale bot commented Jul 3, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jul 3, 2020
@fntlnz
Copy link
Contributor

fntlnz commented Jul 7, 2020

I think we can close this, we are on 0.23.0 now and 0.24.0 will contain even more fixes on NAs.

Thanks for your help @AlexDHoffer

/close

@stale stale bot removed the wontfix label Jul 7, 2020
@poiana poiana closed this as completed Jul 7, 2020
@poiana
Copy link

poiana commented Jul 7, 2020

@fntlnz: Closing this issue.

In response to this:

I think we can close this, we are on 0.23.0 now and 0.24.0 will contain even more fixes on NAs.

Thanks for your help @AlexDHoffer

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fntlnz @AlexDCraig @poiana