Falco throwing 'std::out_of_range' when 'falco-gke-audit-bridge' is also executed

[pedromastelaro]

Describe the bug

I have a cluster kubernetes deployed on Google Cloud, I installed Falco using the helm and it has been running smoothly, however, when trying to apply and use falco-gke-audit-bridge (https://github.com/codeonline-io/falco-gke-audit-bridge), falco pods start to fail with the following message:

terminate called after throwing an instance of 'std::out_of_range'
  what():  stoll

How to reproduce it

To reproduce, simply apply a Deployment with quay.io/codeonline/falco-gke-audit-bridge and this behavior starts to be verified

Expected behaviour

My expectation is that falco will work perfectly with falco-gke-audit-bridge, sending events to http://falco:8765/k8s-audit

Screenshots

Environment

• Falco version: v0.27.0
• System info:
  • Cloud provider or hardware configuration: v1.18.12-gke.1205
  • OS: Ubuntu 18.04.5 LTS
  • Kernel: 5.4.0-1030-gke
  • Installation method: Helm on GKE cluster

[fntlnz]

Hi @pedromastelaro - Thanks for bringing this up.

I was able to create a reproducer with this cURL call:

curl http://127.0.0.1:8765/k8s-audit --data '{"kind":"Event","apiVersion":"1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","metadata":{"creationTimestamp":"2018-10-25T13:58:49Z"},"level":"Request","timestamp":"2018-10-25T13:58:49Z","auditID":"841d3e6d-90d2-43df-8da4-684738bee3d5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces","verb":"create","user":{"username":"111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.99.1"],"objectRef":{"resource":"namespaces","name":"foo","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"foo","creationTimestamp":null},"spec":{},"status":{"phase":"Active"}},"requestReceivedTimestamp":"2DDD018-10-25T13:58:49.730588Z","stageTimestamp":"2018-10-25T13:58:49.736141Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}' -H "Content-Type: application/json"

Which gives:

Tue Apr 13 14:52:44 2021: Falco version 0.28.0-3+a7e04fe (driver version 5c0b863ddade7a45568c0ac97d037422c9efb750)
Tue Apr 13 14:52:44 2021: Falco initialized with configuration file /home/fntlnz/Projects/falcosecurity/falco/falco.yaml
Tue Apr 13 14:52:44 2021: Loading rules from file /home/fntlnz/Projects/falcosecurity/falco/rules/k8s_audit_rules.yaml:
Tue Apr 13 14:52:45 2021: Starting internal webserver, listening on port 8765
terminate called after throwing an instance of 'std::out_of_range'
  what():  stoll

This is happening because the out_of_range exception is not handled for the std::stoll call here.

I'll be pushing a fix for this.