A plugin to collect K8S Audit Logs from GKE (k8saudit-gke plugin)

[sboschman]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area plugins

What this PR does / why we need it:
This k8saudit-gke plugin tries to bridge te gap between Google Cloud audit logs for GKE and the Falco ruleset for k8s audit events. This way the existing Falco ruleset for k8s audit events can be used to monitor GKE clusters as well.

Which issue(s) this PR fixes:
Add a k8saudit-gke plugin to the plugins suite (requested plugins are tracked in #228 )

Special notes for your reviewer:

• is it acceptable to bump golang to 1.21 (from 1.18) for plugins?
• default k8s rules have to be fine-tuned a bit for gke (e.g. add the allowed gke images). Currently the rule overrides are in the dir rule_extensions as the ci workflow validator fails for override rules. Obviously it would be nice to release/ship this rule file as part of the plugin, so it can be installed with falcoctl. Is this fixable in the ci pipeline?
• the plugin id is currently 666, if we can register a "real" plugin id that would be great

[sboschman]

@Issif as I mentioned earlier in #228 here is the pr for a k8saudit-gke plugin. I did put down some issues/questions in the reviewer notes, some guidance with these would be appreciated.

[github-actions]

Rules files suggestions

[Issif]

Can you sign off all the commits please.

For the version of Go, @jasondellaluce could help us, last time I tried I got issues, don't remember which ones.

I guess we need to add your plugin here to allow it to use the file:

https://github.com/falcosecurity/plugins/blob/master/plugins/k8saudit/rules/k8s_audit_rules.yaml#L21,L26

[github-actions]

Rules files suggestions

[sboschman]

I guess we need to add your plugin here to allow it to use the file:

https://github.com/falcosecurity/plugins/blob/master/plugins/k8saudit/rules/k8s_audit_rules.yaml#L21,L26

yes indeed, modded my own rules files with:

- required_plugin_versions:
  - name: k8saudit
    version: 0.7.0
    alternatives:
      - name: k8saudit-gke
        version: 0.1.0

Don't know how the release versioning in the ci workflows does it thing, but I can just add it with version 0.1.0 ?

[github-actions]

Rules files suggestions

[github-actions]

Rules files suggestions

[sboschman]

This is what happens when I place the gke rule overrides into the rules dir (job):

Error: /__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml: Invalid
1 Errors:
In rules content: (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:0:0)
    rule 'Disallowed K8s User': (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:10:2)
------
- rule: Disallowed K8s User
  ^
------
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Item has no mapping for key 'output'

The rule override:

- macro: gke_service_agent
  condition: (ka.user.name endswith "@container-engine-robot.iam.gserviceaccount.com")

- rule: Disallowed K8s User
  condition: and not gke_service_agent
  override: 
    condition: append

any idea if this is fixable @Issif (or perhaps @jasondellaluce ) ? Or is this kind of plugin rule overrides not allowed by design?

[Issif]

cc @alacuku @LucaGuerra can you help us with the CI for the rules?

[leogr]

This is what happens when I place the gke rule overrides into the rules dir (job):

Error: /__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml: Invalid
1 Errors:
In rules content: (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:0:0)
    rule 'Disallowed K8s User': (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:10:2)
------
- rule: Disallowed K8s User
  ^
------
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Item has no mapping for key 'output'

The rule override:

- macro: gke_service_agent
  condition: (ka.user.name endswith "@container-engine-robot.iam.gserviceaccount.com")

- rule: Disallowed K8s User
  condition: and not gke_service_agent
  override: 
    condition: append

any idea if this is fixable @Issif (or perhaps @jasondellaluce ) ? Or is this kind of plugin rule overrides not allowed by design?

The issue is because override was introduced in Falco 0.37, but the CI still uses Falco 0.36.2.
@alacuku @LucaGuerra
I guess we can upgrade the CI to use the latest Falco version.

[Issif]

This is what happens when I place the gke rule overrides into the rules dir (job):

Error: /__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml: Invalid
1 Errors:
In rules content: (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:0:0)
    rule 'Disallowed K8s User': (/__w/plugins/plugins/plugins/k8saudit-gke/rules/k8s_audit_rules_gke.yaml:10:2)
------
- rule: Disallowed K8s User
  ^
------
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Item has no mapping for key 'output'

The rule override:

- macro: gke_service_agent
  condition: (ka.user.name endswith "@container-engine-robot.iam.gserviceaccount.com")

- rule: Disallowed K8s User
  condition: and not gke_service_agent
  override: 
    condition: append

any idea if this is fixable @Issif (or perhaps @jasondellaluce ) ? Or is this kind of plugin rule overrides not allowed by design?

The issue is because override was introduced in Falco 0.37, but the CI still uses Falco 0.36.2. @alacuku @LucaGuerra I guess we can upgrade the CI to use the latest Falco version.

I prepared a PR for #426

[leogr]

I prepared a PR for #426

#426 is merged now.

@sboschman could you rebase this, pls? The CI issue should be addressed then. Thanks!

[github-actions]

Rules files suggestions

[sboschman]

@leogr check now runs with 0.37.1, but we somehow have to tell te checker it has to load the default/base k8saudit rules as well, any ideas on this?

[Issif]

@leogr check now runs with 0.37.1, but we somehow have to tell te checker it has to load the default/base k8saudit rules as well, any ideas on this?

Can you try to add a symlink to the k8s_audit_rules.yaml, I'm not sure but it could work, because of this

plugins/.github/setup-plugin-config-rules.sh

Line 22 in ff78f42

rules_files=$(ls $rules_dir/*)

[alacuku]

Hi @sboschman, could you please rebase your PR on top of #432? I think you should drop all the changes you have made to the CI for debugging purposes.

The #432 unifies how the deps are extracted from the rulesfiles and handles the case when the tested plugin is set as an alternative. Furthermore, the validate-falcoctl job loads all the rules at once, which is needed for the k8saudit-gke plugin.

The validation jobs are now working as intended. Failing because the rules seem not to be valid.

[sboschman]

Hi @sboschman, could you please rebase your PR on top of #432? I think you should drop all the changes you have made to the CI for debugging purposes.
The #432 unifies how the deps are extracted from the rulesfiles and handles the case when the tested plugin is set as an alternative. Furthermore, the validate-falcoctl job loads all the rules at once, which is needed for the k8saudit-gke plugin.

The validation jobs are now working as intended. Failing because the rules seem not to be valid.

yeah wrong engine version, but we haven't really validated any rules yet, so I am still expecting it to fail b/c the deps on stable and/or sandbox rules.

[alacuku]

yeah wrong engine version, but we haven't really validated any rules yet, so I am still expecting it to fail b/c the deps on stable and/or sandbox rules.

This #431 PR should solve the deps issue with stable/sandbox rules. @LucaGuerra

[github-actions]

Rules files suggestions

[sboschman]

yeah wrong engine version, but we haven't really validated any rules yet, so I am still expecting it to fail b/c the deps on stable and/or sandbox rules.

This #431 PR should solve the deps issue with stable/sandbox rules. @LucaGuerra

I see... but I rebased on #432, so that change isn't used yet... should I cherrypick the change from #431 and update the gke rules to use this new list?

[github-actions]

Rules files suggestions

gcp_auditlog_rules.yaml

Comparing ecaf1b1e98080e69abeb67ecbd5a2a9facccaa4c with latest tag gcpaudit-0.3.0

No changes detected

[github-actions]

Rules files suggestions

gcp_auditlog_rules.yaml

Comparing 49d4d974e7d02e73881ff45249fe950e7525bd2d with latest tag gcpaudit-0.3.0

No changes detected

Rules files suggestions

[sboschman]

we do have a green build, @leogr @alacuku @Issif 🥳

[github-actions]

Rules files suggestions

gcp_auditlog_rules.yaml

Comparing 3c7c4fdec4a43908bc142d408da8654c273b266b with latest tag gcpaudit-0.3.0

No changes detected

[alacuku]

#432 merged.

[leogr]

LGTM,

#431 will followup shortly, cc @LucaGuerra

[poiana]

LGTM label has been added.

Git tree hash: aebd4d4508476c84f4a265c399ec2b127fc82ee9

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leogr, sboschman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment