Proposal add psp rules support #825
Conversation
Separate from the PR that actually makes the changes. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
force-pushed
the
proposal-add-psp-rules-support
branch
from
4747aa1
to
d104791
Compare
|
|
||
| ### Goals | ||
|
|
||
| Transparently read a candidate PSP into an equivalent set of falco rules that can look for the conditions in the PSP. |
There was a problem hiding this comment.
Can we have more technical detail here? Are we generating Falco rules as a file? as a pipe? as shared memory?
There was a problem hiding this comment.
The PSP is converted into a set of falco rules which can be either saved as a file for later use/inspection, or loaded directly so they they can monitor system calls and k8s audit activity.
|
|
||
| ### Use cases | ||
|
|
||
| You'll be able to run falco with a `--psp` argument that provides a single PSP Yaml file. Falco will automatcially convert the PSP into an equivalent set of falco rules, load the rules, and then run with the loaded rules. You can optionally provide a `--psp_save=<path>` command line option to save the converted rules to a file. |
There was a problem hiding this comment.
Arguments to the CLI are effectively an API
My only suggestion here would be that we start using some sort of prefix to denote this is Kubernetes specific.
For example:
--k8s-pod-security-policy
--k8s-psp
--enable-kubernetes-pod-security-policy
There was a problem hiding this comment.
I don't like the falco daemon cli to also do cli related tasks, this should be done in falcoctl in my opinion
There was a problem hiding this comment.
I prefer having a single program handle both the steps of conversion and loading the generated rules, as I feel that the fewer steps involved, the easier it is to get set up and running.
|
|
||
| ## Summary | ||
|
|
||
| We want to make it easier for K8s Cluster Operators to Author Pod Security Policies by providing a way to read a PSP, convert it to a set of falco rules, and then run falco with those rules. |
There was a problem hiding this comment.
Yes! This would be amazing for the project! Strong +1 from me
There was a problem hiding this comment.
Where is the convertion done? In a cli ? In falco itself?
There was a problem hiding this comment.
It's in falco. Happy to discuss whether the conversion occurs in falco or outside--I lean towards in falco as it involves fewer moving parts, but obviously there are other opinions.
Remember, though, that the bulk of the work is in implementing the rules that result from the PSP, which requires new operators and fields to work on audit logs.
There was a problem hiding this comment.
I don't understand why this is proposed to be in the falco code base.
From my understanding this is a meechanism to create falco rules based on kubernetes PSPs.
I would prefer to have an external tool to generate the rules and falco just use it without changing the falco binary to support new flags and adding code into it for this.
|
|
||
| ## Summary | ||
|
|
||
| We want to make it easier for K8s Cluster Operators to Author Pod Security Policies by providing a way to read a PSP, convert it to a set of falco rules, and then run falco with those rules. |
There was a problem hiding this comment.
Where is the convertion done? In a cli ? In falco itself?
|
|
||
| ### Use cases | ||
|
|
||
| You'll be able to run falco with a `--psp` argument that provides a single PSP Yaml file. Falco will automatcially convert the PSP into an equivalent set of falco rules, load the rules, and then run with the loaded rules. You can optionally provide a `--psp_save=<path>` command line option to save the converted rules to a file. |
There was a problem hiding this comment.
I don't like the falco daemon cli to also do cli related tasks, this should be done in falcoctl in my opinion
|
|
||
| ### Diagrams | ||
|
|
||
| No diagrams yet. |
Co-authored-by: Lorenzo Fontana <lo@linux.com> Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
|
LGTM label has been added. Git tree hash: ccdf8cfc14e5cfa01753653c8e7e348e742d2979
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/area proposals |
What type of PR is this?
/kind documentation
Any specific area of the project related to this PR?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: