search

falcosecurity / charts

Community managed Helm charts for running Falco with Kubernetes
Apache License 2.0
230 stars 280 forks source link

Invalid k8s_audit_rules.yaml error #680

Open imreczegledi-form3 opened 1 month ago

imreczegledi-form3 commented 1 month ago

Invalid k8s_audit_rules.yaml error, during deployment of chart version 4.4.0 (version 4.3.0 works corretly)

...
falco │ [falco] Fri May 31 13:42:30 2024: Loading plugin 'k8saudit' from file /usr/share/falco/plugins/libk8saudit.so
falco │ [falco] Fri May 31 13:42:30 2024: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
falco │ [falco] Fri May 31 13:42:30 2024: Loading rules from file /etc/falco/falco_rules.yaml
falco │ [falco] Fri May 31 13:42:30 2024: Loading rules from file /etc/falco/k8s_audit_rules.yaml
falco │ [falco] Error: /etc/falco/k8s_audit_rules.yaml: Invalid
falco │ [falco] 1 Errors:
falco │ [falco] In rules content: (/etc/falco/k8s_audit_rules.yaml:0:0)
falco │ [falco]     rule 'Disallowed K8s User': (/etc/falco/k8s_audit_rules.yaml:122:2)
falco │ [falco]     rule output: (/etc/falco/k8s_audit_rules.yaml:125:10)
falco │ [falco] ------
falco │ [falco]   output: K8s Operation performed by user not in allowed list of users (user=%ka.user.na...
falco │ [falco]           ^
falco │ [falco] ------
falco │ [falco] LOAD_ERR_COMPILE_OUTPUT (Error compiling output): invalid formatting token container.id container_image=%container.image.repository container_image_tag=%container.image.tag container_name=%container.name k8s_ns=%k8s.ns.name k8s_pod_name=%k8s.pod.name
...

falco -V /etc/falco/k8s_audit_rules.yaml doesn't find any issue.

How to reproduce it

Deploy the latest Helm chart.

Environment

Chart: falcosecurity/falco version 4.4.0

Relevant values:

...
  config:
    artifact:
      install:
        refs: [falco-rules:3, k8saudit-rules:0.10]
      follow:
        refs: [falco-rules:3, k8saudit-rules:0.10]
...
falco:
  json_output: true
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        ""
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit, json]
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
 ...
DanielViard commented 1 month ago

I'm facing the same issue on a rancher RKE2 cluster using the same embedded rule file : /etc/falco/k8s_audit_rules.yaml I roll-back to 4.3.1 waiting for a fix.

alacuku commented 1 month ago

Hi @DanielViard, @imreczegledi-form3 , we are working on it. We will release a fix ASAP!

alacuku commented 1 month ago

The fix is here: https://github.com/falcosecurity/falco/pull/3236. It will be included in the next patch release of Falco.