Empty Kubernetes fields in Falco output #13

bzurkowski · 2020-03-25T09:40:42Z

Tracking issue for falcosecurity/falco#1029.

bzurkowski · 2020-05-07T07:13:46Z

Fields seeem to be filled correctly. Verified on several rules. Closing.

{
   "output":"07:03:05.063269120: Warning Pod started using host network (user=system:serviceaccount:kube-system:replicaset-controller pod=hostnetwork-deployment-748bd48fcb-hrj2q ns=falco-event-generator images=busybox)",
   "priority":"Warning",
   "rule":"Create HostNetwork Pod",
   "time":"2020-05-07T07:03:05.063269120Z",
   "output_fields":{
      "jevt.time":"07:03:05.063269120",
      "ka.req.pod.containers.image":"busybox",
      "ka.resp.name":"hostnetwork-deployment-748bd48fcb-hrj2q",
      "ka.target.namespace":"falco-event-generator",
      "ka.user.name":"system:serviceaccount:kube-system:replicaset-controller"
   }
}

{
 "output":"07:04:10.489446912: Warning Pod started with sensitive mount (user=system:serviceaccount:kube-system:replicaset-controller pod=sensitive-mount-deployment-76477d5d8-82k4d ns=falco-event-generator images=busybox volumes=[{\"hostPath\":{\"path\":\"/etc\",\"type\":\"\"},\"name\":\"etc\"}])",
   "priority":"Warning",
   "rule":"Create Sensitive Mount Pod",
   "time":"2020-05-07T07:04:10.489446912Z",
   "output_fields":{
      "jevt.time":"07:04:10.489446912",
      "jevt.value":"[{\"hostPath\":{\"path\":\"/etc\",\"type\":\"\"},\"name\":\"etc\"}]",
      "ka.req.pod.containers.image":"busybox",
      "ka.resp.name":"sensitive-mount-deployment-76477d5d8-82k4d",
      "ka.target.namespace":"falco-event-generator",
      "ka.user.name":"system:serviceaccount:kube-system:replicaset-controller"
   }
}

{
   "output":"07:05:26.325649920: Warning Pod started with privileged container (user=system:serviceaccount:kube-system:replicaset-controller pod=privileged-deployment-7c5d789cf4-k4w5f ns=falco-event-generator images=busybox)",
   "priority":"Warning",
   "rule":"Create Privileged Pod",
   "time":"2020-05-07T07:05:26.325649920Z",
   "output_fields":{
      "jevt.time":"07:05:26.325649920",
      "ka.req.pod.containers.image":"busybox",
      "ka.resp.name":"privileged-deployment-7c5d789cf4-k4w5f",
      "ka.target.namespace":"falco-event-generator",
      "ka.user.name":"system:serviceaccount:kube-system:replicaset-controller"
   }
}

bzurkowski added the bug Something isn't working label Mar 25, 2020

bzurkowski self-assigned this Mar 25, 2020

bzurkowski mentioned this issue Apr 2, 2020

Falco alerts mapping #35

Closed

bzurkowski added this to the 0.2 milestone Apr 13, 2020

bzurkowski closed this as completed May 7, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Empty Kubernetes fields in Falco output #13

Empty Kubernetes fields in Falco output #13

bzurkowski commented Mar 25, 2020 •

edited

bzurkowski commented May 7, 2020

Empty Kubernetes fields in Falco output #13

Empty Kubernetes fields in Falco output #13

Comments

bzurkowski commented Mar 25, 2020 • edited

bzurkowski commented May 7, 2020

bzurkowski commented Mar 25, 2020 •

edited