refactor!: remove K8S audit logs from Falco #1952
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
2 times, most recently
from
579f680 to
92548f7
Compare
|
/milestone 0.32.0 |
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
2 times, most recently
from
8255a55 to
edebac8
Compare
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
from
edebac8 to
e429ecf
Compare
|
This is currently blocked by the changes of #1976. |
jasondellaluce
changed the title
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
from
e429ecf to
a969dd1
Compare
| @@ -21,4 +21,4 @@ limitations under the License. | |||
| // This is the result of running "falco --list -N | sha256sum" and | |||
| // represents the fields supported by this version of Falco. It's used | |||
| // at build time to detect a changed set of fields. | |||
| #define FALCO_FIELDS_CHECKSUM "77c4c549181b8aac1b9698c0101ac61acb5b2faede84a2c4fecb34834c6de2b9" | |||
| #define FALCO_FIELDS_CHECKSUM "a557747a209f2d16e90a3324d84d56c02cf54d000b6e3ee44598413f19885fcc" | |||
There was a problem hiding this comment.
This changes because the ka.* and jevt.* are not listed anymore with the default falco.yaml configuration.
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
from
a969dd1 to
d638ff2
Compare
jasondellaluce
changed the title
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
from
952bd5b to
83b9c1c
Compare
Signed-off-by: Jason Dellaluce <[email protected]>
…plib Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
…ests Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]> Co-authored-by: Leonardo Grasso <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
jasondellaluce
force-pushed
the
refactor/k8saudit-porting
branch
from
6047bb8 to
1e04c6e
Compare
Signed-off-by: Jason Dellaluce <[email protected]> Co-authored-by: Leonardo Grasso <[email protected]> Co-authored-by: Leonardo Grasso <[email protected]>
| } | ||
|
|
||
| for(const auto &src : m_options.disable_sources) | ||
| { | ||
| m_state->enabled_sources.erase(src); | ||
| } | ||
|
|
||
| // XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin. | ||
| // todo(jasondellaluce,leogr): change this once we attain multiple active source |
There was a problem hiding this comment.
This will increase the need to support multiple event sources within one falco process. k8s and syscalls together used to be supported together obviously, and that isn't possible atm.
There was a problem hiding this comment.
Definitely. I left this comment as a remainder for when we'll work on supporting multiple sources.
| @@ -148,8 +148,8 @@ if(NOT MINIMAL_BUILD) | |||
| # libcurl | |||
| include(curl) | |||
|
|
|||
| # civetweb | |||
| include(civetweb) | |||
| # cpp-httlib | |||
There was a problem hiding this comment.
Just curious, why the switch to cpp-httplib?
There was a problem hiding this comment.
Civetweb caused lots of compilation problems in the past, and was in general a troublesome dependency for us in the past. This new http server is header-only and pretty lightweight, which better serves out purposes for now since we only implement /healthz.
There was a problem hiding this comment.
I'll approve it to just save a round-trip on monday. @jasondellaluce promised to update the comment and I'll check back for answers on the other questions.
Thanks again!
|
LGTM label has been added. Git tree hash: 093cd38cf8219e09e240c466c1ea51cd9a7afd6d
|
|
(whoops, didn't see that @leogr had also approved). Well I'll check back for the answers and it would be nice to clean up the comment in a later PR. Not the end of the world as that code is pretty retired anyway. |
What type of PR is this?
/kind cleanup
/kind design
Any specific area of the project related to this PR?
/area build
/area engine
What this PR does / why we need it:
This is part of the ongoing effort of porting the current K8S Audit Logs support implementation out of Falco and turn it into a Falcosecurity PR. The goals of this PR are to:
healthzendpoint with a lightweight HTTP serverWhich issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This new plugin-based K8S Audit implementation introduces the following breaking changes:
falco.yamlpiece of configuration responsible of K8S Audit is now located under thepluginssectioninandintersectsoperators. For example, checks such aska.req.role.rules.verbs contains createwould be rejected and would need to be changed in the equivalentka.req.role.rules.verbs intersects (create)existsoperator, and not by comparing with the<NA>string.The
<NA>string literal is not returned anymore, neither in single-valued fields nor in list fields. For example, in the past field existence was occasionally checked with expressions likeka.target.subresource != <NA>, which would now inherently never be true, because if the field is absent the string comparison fails by default. Instead, prefer using the analoguouska.target.subresource exists, which explicitly checks for missing values./healtzendpoint cannot bind to the same port of the K8S Audit Log endpoint (e.g./k8s-audit), due to the fact that they are now managed by two different webservers (one in Falco, one in the plugin)Blocking PRs:
Does this PR introduce a user-facing change?: