how falco determines which syscall is coming from which kubernetes pod

[tahsinrahman]

Hi, I'm trying to understand falco codebase and wondering how falco determines which syscall is coming from which kubernetes pod?

My guess is, falco lists all pods by calling kubernetes api, then go through podStatus.containerStatus.containerID for all pods. Am I correct?

I'd be great if you can point me to the code where this is actually happening!

Thanks!

[poiana]

@tahsinrahman: There is not a label identifying the kind of this issue. Please specify it either using /kind <group> or manually from the side menu. In case you do not know which kind this proposal is please mention the maintainers using @team/maintainers.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[krisnova]

Have you watched the TGIK we did? https://youtu.be/fRoTKqH3rHI?t=3808

This is a good introduction to Falco and Kubernetes

In general

Syscall libraries

We use libraries libscap and libsinsp which are found in multiple places:

• https://github.com/draios/sysdig/tree/dev/userspace/libsinsp
• https://github.com/draios/sysdig/tree/dev/userspace/libscap

Kubernetes Audit

Here is where we concretely parse the Kubernetes Audit JSON

• https://github.com/falcosecurity/falco/blob/dev/userspace/engine/falco_engine.cpp#L366

In general I think we are too tightly coupled with Kubernetes and need to refactor this to make it more dynamic/modular.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.