The Timer-based Trigger is a special part of the Phoenix AMTD Operator architecture as its main purpose is to provide periodic or scheduled triggers for Phoenix in the form of SecurityEvent CRDs. This feature can be used for multiple purposes:
- Execute actions with the phoenix operator periodically or in a scheduled manner. e.g.: hourly restart a service to avoid any undetected action.
- Update the SecurityEvent content and mimic events from another tool
- Use a periodic trigger and an alerting system to check if phoenix operator is working
- Debug/test the phoenix operator or new alert rules.
Architecture-wise the special aspect of the Timer-based Trigger is that it can create SecurityEvents without an Integration Backend. The reason of this is that Timer-based Trigger is not an independent, standalone tool. Without Phoenix it has no purpose, however, for simplicity it made sense to have its own code base.
The Timer-based trigger operates on pods. The tool uses an opt-in approach where the operator can add a pod to the scheduling queue by annotating it with time-based-trigger.amtd.r6security.com/enabled
. If the annotation is there then it will be ignored if the value cannot be evaluated to true by strconv.ParseBool. The timing is configured with the time-based-trigger.amtd.r6security.com/schedule"
annotation. It can be a valid cron like scheduling pattern or any format which can be recognized by time.ParseDuration. To avoid to store any state in the application or to require proper permissions to update pod annotations the scheduling calculated relative to the last known Time-based trigger security event for this pod or if there is none then to the time when the pod was created. Currently the fields of the securityevent generated by the operator are fixed: type=timed, threatlevel=info and source=TimeBasedTrigger. You can create phoenix operator rules based on these.
Important:
- Terminating pods will not trigger periodic events!
- Removing the latest time-based security event for a pod will trigger another one in the next reonciliation check.
Scheduling an event for the given pods in every hour:
metadata:
annotations:
time-based-trigger.amtd.r6security.com/enabled: 1
time-based-trigger.amtd.r6security.com/schedule: 1h
Create an event for the given pod on every Monday at 08:00 AM:
metadata:
annotations:
time-based-trigger.amtd.r6security.com/enabled: t
time-based-trigger.amtd.r6security.com/schedule: "0 8 * * 1"
Opt out from the queue but keep the scheduling. e.g. testing a functionality or running a backup which should not be interrupted
metadata:
annotations:
time-based-trigger.amtd.r6security.com/enabled: f
time-based-trigger.amtd.r6security.com/schedule: 24h
Warning: This project is in active development, consider this before deploying it in a production environment. All APIs, SDKs, and packages are subject to change.
More information about the place of the Timer-based Trigger in the phoenix operator and about the whole concept can be found in the main Phoenix AMTD Operator GitHub repo.
- The project is in an early stage where the current focus is to be able to provide a proof-of-concept implementation that a wider range of potential users can try out. We are welcome all feedbacks and ideas as we continuously improve the project and introduce new features.
Phoenix development is coordinated in Discord, feel free to join.
Copyright 2021-2023 by R6 Security, Inc. Some rights reserved.
Server Side Public License - see LICENSE for full text.