falcosecurity / plugins

Falco plugins registry
Apache License 2.0
85 stars 77 forks source link

Falco CPU 100% and Not Detecting Events #376

Closed ossie-git closed 10 months ago

ossie-git commented 11 months ago

Describe the bug

I configured and enabled k8saudit in falco.yaml and pointed my API Server to send logs to it but:

These are my files:

kubeconfig:

apiVersion: v1
clusters:
- cluster:
    server: http://192.168.121.115:9765/k8s-audit
  name: audit-webhook-service
contexts:
- context:
    cluster: audit-webhook-service
    user: ""
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users: []

audit-policy.yaml:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  omitStages: ["RequestReceived"]

falco.yaml:

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        ""
        # maxEventBytes: 1048576
        # sslCertificate: /etc/falco/falco.pem
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container.
  load_plugins: [k8saudit, json]

Meanwhile, this would work fine:

curl -vv -H "Content-Type: application/json" -d @/tmp/payload.json http://192.168.121.115:9765/k8s-audit

would be received successfully and trigger a rule so I know that Falco is properly configured and the API Server works fine as well. Here are the contents of payload.json:

{
  "kind": "EventList",
  "apiVersion": "audit.k8s.io/v1",
  "metadata": {},
  "items": [
    {
      "kind": "Event",
      "apiVersion": "audit.k8s.io/v1",
      "level": "Metadata",
      "auditID": "047a3677-b68c-4f1c-8a10-6e59a5b5ccc7",
      "stage": "ResponseComplete",
      "requestURI": "/api/v1/namespaces?fieldManager=kubectl-create",
      "verb": "create",
      "user": {
        "username": "kubernetes-admin",
        "groups": [
          "system:masters",
          "system:authenticated"
        ]
      },
      "sourceIPs": [
        "172.18.0.1"
      ],
      "userAgent": "kubectl/v1.19.4 (linux/amd64) kubernetes/d360454",
      "objectRef": {
        "resource": "namespaces",
        "name": "def",
        "apiVersion": "v1"
      },
      "responseStatus": {
        "metadata": {},
        "code": 201
      },
      "requestReceivedTimestamp": "2021-01-27T07:36:30.641811Z",
      "stageTimestamp": "2021-01-27T07:36:30.645337Z",
      "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": ""
      }
    }
  ]
}

How to reproduce it

Refer to the above

Expected behaviour

It would work as expected and the CPU should not be so high

Environment

ossie-git commented 10 months ago

Not sure what I changed but the issue disappeared. So I'm closing this issue