Add k8s event generator #997

Currently, the falco event generator only generates system call activity. This adds support for k8s_audit events by adding a script + supporting k8s object files that generate activity that matches the k8s audit event ruleset. The main script is k8s_event_generator.sh, which loops over the files in the yaml subdirectory, running kubectl apply -f for each. In the interests of keeping things self-contained, all objects are created in a `falco-event-generator` namespace. This means that some activity related with cluster roles/cluster role bindings is not performed. Each k8s object has annotations that note: 1. The specific falco rules that should trigger. 2. A user-friendly message to print when apply-ing the file. You can provide a specific rule name to the script. If provided, only those objects related to that rule will trigger. The default is "all", meaning that all objects are created. The script loops forever, deleting the falco-event-generator namespace after each iteration. Additionally, the docker image has been updated to also copy the script + supporting files, as well as fetching the latest available `kubectl` binary. The entrypoint is now a script that allows choosing between: - syscall activity: run with .... "syscall" - k8s_audit activity: run with .... "k8s_audit" - spawn a shell: run with .... "bash" The default is "syscall" to preserve existing behavior. In most cases, you'll need to provide kube config files/directories that allow access to your cluster. A command like the following will work: ``` docker run -v $HOME/.kube:/root/.kube -it falcosecurity/falco-event-generator k8s_audit ``` Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

Noticed these while compiling in the latest alpine image. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add k8s event generator #997

Add k8s event generator #997

Commits on Jan 15, 2020