Open tspearconquest opened 1 year ago
ei! Thank you for reporting!
The only main concern that I have here is that we already have a lot of repo to manage under the falcosecurity
organizations, so not sure we have enough folks to manage yet another repo :/ BTW I understand your issue we will discuss about it, cc @leogr
Hey @tspearconquest
Thank you for bringing this up.
AFAIK maintainers have discussed more than one time to start developing a k8saudit-aks
plugin, as we already did with k8saudit-eks. IMO, this would be the preferred option since it reuses the modular design of the primary k8saudit
plugin (by importing its Go packages). It would be easier to maintain since it will be implemented in Go, which we extensively use. The k8saudit-aks
plugin would not require any external forwarder and would not need a separate repository.
To make this happen, we probably need some help from contributors to kick off this k8saudit-aks
project. Still, this would be less painful than revamping and maintaining an outdated project :angel:
Do we know anyone with experience in AKS and Go? :thinking:
cc @Issif @jasondellaluce @cpanato
I don't know Go but willing to learn it; happy to help test it out in our environment if nothing else.
I'm not experienced with AKS either, but I developed thek8saudit-eks
plugin. Basically, only the auth + log collection has to be implemented, the logic for extraction and export of the fields is easy, it just requires to import the modules from the k8saudit
plugin.
Hey folks,
I think this should be moved to https://github.com/falcosecurity/plugins and become a feature request for a new plugin k8saudit-aks
. Let me know if you disagree.
cc @jasondellaluce @LucaGuerra
I agree
I believe this is valuable, but I don't have cycles to take care of it.
/assign I'm assigning this to myself just not to lose track of it, but we need a volunteer willing to implement this new plugin
/help
@leogr: This request has been marked as needing help from a contributor.
Please ensure the request meets the requirements listed here.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help
command.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
We still want this.
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Motivation
Back in 2022, I did some testing of AKS Audit Log Forwarder with Falco and was able to confirm that it works properly. Audit logs from AKS are routed via an Event Hub, where the above will pick them up and route them into Falco for analysis by the k8saudit rules. Falco analyzes the events and logs activity based on the rules.
In my org's setup, we use Fluentd to capture container logs from the pods running in the cluster and forward them over to Log Analytics for our SOC team to further analyze and action.
Falco has made some great work on the k8s audit configuration by converting the original k8saudit stuff to a Falco plugin which automatically activates the built-in webserver (zero config when the plugin is enabled) and while this works fine, I've noticed that the audit log forwarder has not had any commits in 2 years; so it appears to me that the project was abandoned by Sysdig. This puts those of us using AKS with auditing requirements in a tough spot. Either we have to maintain the project ourselves, pulling in updates and making patches (not to mention keeping up with Kubernetes dependency library versions), or we run the risk of falling out of compliance with regulatory requirements, or the risk of the forwarder breaking completely one day in the future because of the lack of maintenance and various breaking changes in the cluster.
Side note for those not in the know: At least some of the regular Falco contributors work for Sysdig; though I don't know the exact nature of the relationship between the two teams.
Feature
As a Falco user, it would benefit the community of AKS users if Falco were to take over responsibility of the audit log forwarder. We don't have another good option for getting the event logs from AKS clusters into Falco, because we don't have access to make changes on the master nodes directly; our only options in Azure by default are to send the audit logs directly to an Event Hub, directly to Log Analytics, or directly to a Storage Account.
Alternatives
Can't think of any. My team doesn't have the ability to maintain the project internally; though we have been keeping up with CVE patches in the dependencies, it's a growing concern that one day we will upgrade to a kubernetes version which is incompatible and the log forwarder will just stop working.
Additional context
I wonder if it possibly could be converted to a Falco plugin itself, or possibly even integrated into the k8saudit plugin? If it either of these is an option, then it'd be much easier to setup and use with Falco because it could retrieve the logs from the event hub and pull them into Falco directly, and if integrated into the k8saudit plugin, then we wouldn't even need to have the falco webserver running.