Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow SSL for k8s audit endpoint #471

Merged
merged 2 commits into from Jan 24, 2019

Conversation

Projects
None yet
2 participants
@mfdii
Copy link
Member

commented Nov 20, 2018

Allow enabling SSL for the Kubernetes audit log web server. This required adding two new configuration options: webserver.ssl_enabled and webserver.ssl_certificate. To enable SSL add the below to the webserver section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL for the port which is how civetweb expects SSL ports be denoted. We could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

@mfdii mfdii requested a review from mstemm Nov 20, 2018

@mstemm

This comment has been minimized.

Copy link
Contributor

commented Nov 28, 2018

All the other changes look good. Let's just clean up the port handling for ssl.

@mfdii mfdii force-pushed the mfdii/add_ssl_support branch 2 times, most recently from bd7a973 to f46104d Jan 21, 2019

@mstemm mstemm force-pushed the mfdii/add_ssl_support branch from a3f183c to 9c09dd3 Jan 23, 2019

@mstemm

mstemm approved these changes Jan 23, 2019

mfdii and others added some commits Nov 20, 2018

Allow SSL for k8s audit endpoint
Allow enabling SSL for the Kubernetes audit log web server. This
required adding two new configuration options: webserver.ssl_enabled and
webserver.ssl_certificate. To enable SSL add the below to the webserver
section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL
for the port which is how civetweb expects SSL ports be denoted. We
could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding
key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

fix ssl option handling
Add notes on how to create ssl certificate
Add notes on how to create the ssl certificate to the config comments.

@mstemm mstemm force-pushed the mfdii/add_ssl_support branch from 1e9e00b to 4b0355c Jan 24, 2019

@mstemm mstemm merged commit 4fcd44e into dev Jan 24, 2019

2 checks passed

Travis CI - Branch Build Passed
Details
Travis CI - Pull Request Build Passed
Details

@mstemm mstemm deleted the mfdii/add_ssl_support branch Jan 24, 2019

daixiang0 added a commit to daixiang0/falco that referenced this pull request Feb 10, 2019

Allow SSL for k8s audit endpoint (falcosecurity#471)
* Allow SSL for k8s audit endpoint

Allow enabling SSL for the Kubernetes audit log web server. This
required adding two new configuration options: webserver.ssl_enabled and
webserver.ssl_certificate. To enable SSL add the below to the webserver
section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL
for the port which is how civetweb expects SSL ports be denoted. We
could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding
key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

fix ssl option handling

* Add notes on how to create ssl certificate

Add notes on how to create the ssl certificate to the config comments.

daixiang0 added a commit to daixiang0/falco that referenced this pull request Feb 10, 2019

Allow SSL for k8s audit endpoint (falcosecurity#471)
* Allow SSL for k8s audit endpoint

Allow enabling SSL for the Kubernetes audit log web server. This
required adding two new configuration options: webserver.ssl_enabled and
webserver.ssl_certificate. To enable SSL add the below to the webserver
section of the falco.yaml config:

webserver:
  enabled: true
  listen_port: 8765s
  k8s_audit_endpoint: /k8s_audit
  ssl_enabled: true
  ssl_certificate: /etc/falco/falco.pem

Note that the port number has an s appended to indicate SSL
for the port which is how civetweb expects SSL ports be denoted. We
could change this to dynamically add the s if ssl_enabled: true.

The ssl_certificate is a combination SSL Certificate and corresponding
key contained in a single file. You can generate a key/cert as follows:

$ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
$ cat certificate.pem key.pem > falco.pem
$ sudo cp falco.pem /etc/falco/falco.pem

fix ssl option handling

* Add notes on how to create ssl certificate

Add notes on how to create the ssl certificate to the config comments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.