-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A plugin to collect K8S Audit Logs from GKE (k8saudit-gke plugin) #424
Conversation
Rules files suggestions |
Can you sign off all the commits please. For the version of Go, @jasondellaluce could help us, last time I tried I got issues, don't remember which ones. I guess we need to add your plugin here to allow it to use the file: |
Rules files suggestions |
yes indeed, modded my own rules files with:
Don't know how the release versioning in the ci workflows does it thing, but I can just add it with version 0.1.0 ? |
Rules files suggestions |
1 similar comment
Rules files suggestions |
This is what happens when I place the gke rule overrides into the
The rule override:
any idea if this is fixable @Issif (or perhaps @jasondellaluce ) ? Or is this kind of plugin rule overrides not allowed by design? |
cc @alacuku @LucaGuerra can you help us with the CI for the rules? |
The issue is because |
I prepared a PR for #426 |
#426 is merged now. @sboschman could you rebase this, pls? The CI issue should be addressed then. Thanks! |
Rules files suggestions |
@leogr check now runs with 0.37.1, but we somehow have to tell te checker it has to load the default/base k8saudit rules as well, any ideas on this? |
Can you try to add a symlink to the k8s_audit_rules.yaml, I'm not sure but it could work, because of this
|
The validation jobs are now working as intended. Failing because the rules seem not to be valid. |
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
yeah wrong engine version, but we haven't really validated any rules yet, so I am still expecting it to fail b/c the deps on stable and/or sandbox rules. |
This #431 PR should solve the deps issue with stable/sandbox rules. @LucaGuerra |
Rules files suggestions |
I see... but I rebased on #432, so that change isn't used yet... should I cherrypick the change from #431 and update the gke rules to use this new list? |
Signed-off-by: Luca Guerra <luca@guerra.sh>
Rules files suggestionsgcp_auditlog_rules.yamlComparing No changes detected |
Rules files suggestionsgcp_auditlog_rules.yamlComparing No changes detected Rules files suggestions |
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
we do have a green build, @leogr @alacuku @Issif 🥳 |
Rules files suggestionsgcp_auditlog_rules.yamlComparing No changes detected |
#432 merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
#431 will followup shortly, cc @LucaGuerra
LGTM label has been added. Git tree hash: aebd4d4508476c84f4a265c399ec2b127fc82ee9
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, sboschman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
This
k8saudit-gke
plugin tries to bridge te gap between Google Cloud audit logs for GKE and the Falco ruleset for k8s audit events. This way the existing Falco ruleset for k8s audit events can be used to monitor GKE clusters as well.Which issue(s) this PR fixes:
Add a
k8saudit-gke
plugin to the plugins suite (requested plugins are tracked in #228 )Special notes for your reviewer:
rule_extensions
as the ci workflow validator fails for override rules. Obviously it would be nice to release/ship this rule file as part of the plugin, so it can be installed with falcoctl. Is this fixable in the ci pipeline?