Allow json arrays k8s audit #967
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, the json object POSTed to the /k8s_audit endpoint is assumed to be an obect, with a "type" of either "Event" or "EventList". When the K8s API Server POSTs events, it aggregates them into an EventList, ensuring that there is always a single object. However, we're going to add some intermediate tools that tail log files and send them to the endpoint, and the easiest way to send a batch of events is to pass them as a json array instead of a single object. To properly handle this, modify parse_k8s_audit_event_json to also handle a json array. For arrays, it iterates over the objects, calling parse_k8s_audit_json recursively. This only iterates an initial top level array to avoid excessive recursion/attacks involving degenerate json objects with excessively nested arrays. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Callers aren't expected to catch execeptions and instead rely on the bool return value to indicate whether or not the parsing was successful. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
mstemm
force-pushed
the
allow-json-arrays-k8s-audit
branch
from
fe4c281
to
9c89484
Compare
mstemm
added a commit
to draios/sysdig-cloud-scripts
that referenced
this pull request
Dec 10, 2019
It turns out that openshift 4 does automatically make audit logs available on the master node as a file by default, but it doesn't enable dynamic audit sinks. Rather than change the api server config, which is risky, instead deploy a helper daemonset that can read the api server logs and send the contents to the agent's audit webhook. We can probably used this for other k8s distributions as well. This relies on a pending falco change falcosecurity/falco#967.
mstemm
added a commit
to draios/sysdig-cloud-scripts
that referenced
this pull request
Dec 10, 2019
Openshift 4.2 is actually pretty easy, although you have to deploy a helper log forwarder that runs on the api server, reads the existing audit log, and forwards to the agent. Requires agent 0.95.0 or some agent that has falcosecurity/falco#967.
|
/lgtm |
|
LGTM label has been added. Git tree hash: d9e88f77d5afec548301db11ae9ed48601c6a70e
|
Kaizhe
approved these changes
Dec 11, 2019
fntlnz
approved these changes
Dec 13, 2019
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: