Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow SSL for k8s audit endpoint #471

Merged
merged 2 commits into from Jan 24, 2019
Merged

Allow SSL for k8s audit endpoint #471

merged 2 commits into from Jan 24, 2019

Conversation

mfdii
Copy link
Member

@mfdii mfdii commented Nov 20, 2018
edited

Allow enabling SSL for the Kubernetes audit log web server. This required adding two new configuration options: webserver.ssl_enabled and webserver.ssl_certificate. To enable SSL add the below to the webserver section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL for the port which is how civetweb expects SSL ports be denoted. We could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

@mfdii mfdii requested a review from mstemm November 20, 2018 04:41
@mstemm
Copy link
Contributor

mstemm commented Nov 28, 2018

All the other changes look good. Let's just clean up the port handling for ssl.

@mfdii mfdii force-pushed the mfdii/add_ssl_support branch 2 times, most recently from bd7a973 to f46104d Compare January 21, 2019 23:36
mfdii and others added 2 commits January 23, 2019 18:03
@mfdii @mstemm
Allow SSL for k8s audit endpoint
10bb501 
Allow enabling SSL for the Kubernetes audit log web server. This
required adding two new configuration options: webserver.ssl_enabled and
webserver.ssl_certificate. To enable SSL add the below to the webserver
section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL
for the port which is how civetweb expects SSL ports be denoted. We
could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding
key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

fix ssl option handling
@mstemm
Add notes on how to create ssl certificate
4b0355c 
Add notes on how to create the ssl certificate to the config comments.
@mstemm mstemm merged commit 4fcd44e into dev Jan 24, 2019
@mstemm mstemm deleted the mfdii/add_ssl_support branch January 24, 2019 04:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mstemm mstemm mstemm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mfdii @mstemm