-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Psp rules support #826
Psp rules support #826
Conversation
The tests will fail until draios/sysdig#1501 is merged. |
144d4f2
to
4c820a6
Compare
@mstemm , would you please add a test case for |
I commented very extensively about this in the proposal here #825 (review) Summary is that I don't think that doing this is responsibility of Falco directly (but please refer to the review in the proposal for more details) For this reason I think that this must be discussed in the repo planning meeting, I'm sure others will find useful to understand this better too. |
The feedback about who does the conversion is good and we can continue the discussion there. A lot of this PR is changes separate from the mechanics of converting a PSP to falco rules, though. Separate from that code, there's a whole new set of filter fields and operators to look at different parts of k8s audit logs and compare them to sets of desired/forbidden ports, images, etc. I'd encourage you to look at that code as well, as it would be in falco regardless of where the conversion occurs. |
@mstemm in general I really like what you did here and having this new feature in Falco. However since this is a big improvement we need to take a look at it a bit closer than usual, with the rest of the community too. The conversion part is the only I have concerns about (because I have different opinions on where it can be done). |
@@ -20,7 +20,7 @@ compiler: gcc | |||
env: | |||
- BUILD_TYPE=debug | |||
- BUILD_TYPE=release | |||
sudo: required | |||
dist: xenial |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you do this? Was missing before or it's a new requirement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was required to get travis tests to pass. I don't really know why I had to force travis to use xenial, as https://blog.travis-ci.com/2019-04-15-xenial-default-build-environment says xenial is the default if unspecified. The commit msg for 4c820a6 has a bit more detail.
InOp = kw("in") / "in"; | ||
PmatchOp = kw("pmatch") / "pmatch"; | ||
SetOp = kw("in") / "in" + | ||
kw("intersects") / "intersects" + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Mark for your huge effort !
Overall this only needs some adjustments imho. As soon you can address them we'll merge this huge work!
userspace/engine/falco_engine.cpp
Outdated
@@ -86,6 +86,28 @@ uint32_t falco_engine::engine_version() | |||
|
|||
#define CONSOLE_LINE_LEN 79 | |||
|
|||
static void wrap_text(const std::string &str, uint32_t initial_pos, uint32_t indent, uint32_t line_len) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function should only have the responsibility to construct the string which then can be printed.
Furthermore I'll move this in an outside file (eg., utils, with falco::engine::utils
namespace maybe). WDYT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (just falco::utils though).
f7fc448
to
5836be0
Compare
b6ff1aa
to
dcfe3f6
Compare
Looks like all the tests are passing now. Can I get a final lgtm so we can merge? |
Instead of using a psp_conv binary built in the falco build, download falcoctl 0.0.2 and use its "falcoctl convert psp" subcommand to perform the conversion. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
dcfe3f6
to
e91562a
Compare
Ok, done. This will also undo the formatting for the changes I made, though. Let's make sure the tests just in case there were substantive changes in the formatting. |
...And the tests passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎳 💣
LGTM label has been added. Git tree hash: 2f92a254fd49d5573fe183da811816edb346f329
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Add docs describing the changes in falcosecurity/falco#826.
Add docs describing the changes in falcosecurity/falco#826. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in output fields for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A".
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A".
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A".
Add docs describing the changes in falcosecurity/falco#826. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
As a part of the changes in #826, we added several breaking changes to rules files like renaming/removing some filter fields. This isn't ideal for customers who are using their own rules files. We shouldn't break older rules files in this way, so add some minimal backwards compatibility which adds back the fields that were removed *and* actually used in k8s_audit_rules.yaml. They have the same functionality as before. One exception is ka.req.binding.subject.has_name, which was only used in a single output field for debugging and shouldn't have been in the rules file in the first place. This always returns the string "N/A". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
What type of PR is this?
/kind feature
/kind rule-update
Any specific area of the project related to this PR?
/area engine
/area integrations
What this PR does / why we need it:
Add support for converting K8s Pod Security Policies (PSPs) into set of falco rules that can be used to evaluate the conditions specified in the PSP.
See #825 for the feature proposal.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: