falcosecurity / falcosidekick

Connect Falco to your ecosystem
Apache License 2.0
547 stars 179 forks source link

Add custom tags to all rules without manually overriding or appending each rule #971

Closed dbeilin closed 1 month ago

dbeilin commented 2 months ago

Motivation

I’m forwarding alerts from my dev cluster to my observability cluster, and I’d like to add the "env" to the tags of each rule. I already did something similar using customfields: "env:dev" but using tags I would also be able to filter by it in the UI, which I like better. I know it’s possible using something like this:

- rule: Some Rule Name  
  tags: [my_new_tag]
  override:
    tags: append

But it would require me to go over each rule manually. I was hoping this would work:

- rule: *
  tags: [my_new_tag]
  override:
    tags: append

But it’s bad syntax 😄

Feature

It can be supporting a wildcard for rule names or maybe sidekick can do this somehow (not sure).

Alternatives

For now I thought I can use an initContainer like this:

extra:
  initContainers:
    - name: add-kuku-tag
      image: alpine/k8s:1.28.13
      env:
        - name: TAG
          value: "kuku"
        - name: RULES_DIR
          value: "/etc/falco"
        - name: FALCOCTL_CONFIG
          value: "/etc/falcoctl/falcoctl.yaml"
      command: ["/bin/sh"]
      args:
        - -c
        - |
          #!/bin/sh

          # Install falcoctl
          LATEST=$(curl -sI https://github.com/falcosecurity/falcoctl/releases/latest | awk '/location: /{gsub("\r","",$2);split($2,v,"/");print substr(v[8],2)}')
          curl --fail -LS "https://github.com/falcosecurity/falcoctl/releases/download/v${LATEST}/falcoctl_${LATEST}_linux_amd64.tar.gz" | tar -xz
          install -o root -g root -m 0755 falcoctl /usr/local/bin/falcoctl

          # Add the Falco index
          falcoctl index add falcosecurity https://falcosecurity.github.io/falcoctl/index.yaml

          # Fix bug where falcoctl would fail to pull from the registry due to auth error
          yq eval 'del(.registry.auth)' -i $FALCOCTL_CONFIG

          # Install falco-rules artifact
          falcoctl artifact install falco-rules:3 \
            --allowed-types rulesfile,plugin \
            --resolve-deps \
            --rulesfiles-dir /rulesfiles \
            --plugins-dir /plugins || { echo "Failed to install falco-rules"; exit 1; }

          # Copy the installed rules to the shared volume
          cp -r /rulesfiles/* "$RULES_DIR/"
          echo "Copied rules to $RULES_DIR"
          ls -la "$RULES_DIR"

          # Add TAG to the tags list in falco_rules.yaml
          yq eval --inplace '.[].tags += ["'$TAG'"]' "$RULES_DIR/falco_rules.yaml"
          echo "Added tag '$TAG' to falco_rules.yaml"

      volumeMounts:
        - name: rulesfiles
          mountPath: /rulesfiles
        - name: plugins
          mountPath: /plugins
        - name: rulesfiles-install-dir
          mountPath: /etc/falco

This works, but the rules will be overridden by the Falco Follower in the future, I would need to restart the pod to have the initContainer do its thing again, which isn't ideal.

Additional context

The customfields option is nice, but the Tags in the UI are actually filterable from the menu, which is way more convenient when looking for custom rules for example.

image

Thanks

Issif commented 1 month ago

The PR with the feature has been merged, it will be included in the next release.