Closed ossie-git closed 10 months ago
Describe the bug
I configured and enabled k8saudit in falco.yaml and pointed my API Server to send logs to it but:
falco.yaml
These are my files:
kubeconfig:
apiVersion: v1 clusters: - cluster: server: http://192.168.121.115:9765/k8s-audit name: audit-webhook-service contexts: - context: cluster: audit-webhook-service user: "" name: default-context current-context: default-context kind: Config preferences: {} users: []
audit-policy.yaml:
apiVersion: audit.k8s.io/v1 kind: Policy rules: - level: Metadata omitStages: ["RequestReceived"]
falco.yaml:
falco: rules_file: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: - name: k8saudit library_path: libk8saudit.so init_config: "" # maxEventBytes: 1048576 # sslCertificate: /etc/falco/falco.pem open_params: "http://:9765/k8s-audit" - name: json library_path: libjson.so init_config: "" # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container. load_plugins: [k8saudit, json]
Meanwhile, this would work fine:
curl -vv -H "Content-Type: application/json" -d @/tmp/payload.json http://192.168.121.115:9765/k8s-audit
would be received successfully and trigger a rule so I know that Falco is properly configured and the API Server works fine as well. Here are the contents of payload.json:
payload.json
{ "kind": "EventList", "apiVersion": "audit.k8s.io/v1", "metadata": {}, "items": [ { "kind": "Event", "apiVersion": "audit.k8s.io/v1", "level": "Metadata", "auditID": "047a3677-b68c-4f1c-8a10-6e59a5b5ccc7", "stage": "ResponseComplete", "requestURI": "/api/v1/namespaces?fieldManager=kubectl-create", "verb": "create", "user": { "username": "kubernetes-admin", "groups": [ "system:masters", "system:authenticated" ] }, "sourceIPs": [ "172.18.0.1" ], "userAgent": "kubectl/v1.19.4 (linux/amd64) kubernetes/d360454", "objectRef": { "resource": "namespaces", "name": "def", "apiVersion": "v1" }, "responseStatus": { "metadata": {}, "code": 201 }, "requestReceivedTimestamp": "2021-01-27T07:36:30.641811Z", "stageTimestamp": "2021-01-27T07:36:30.645337Z", "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "" } } ] }
How to reproduce it
Refer to the above
Expected behaviour
It would work as expected and the CPU should not be so high
Environment
Falco version:
# falco --version Fri Dec 1 07:43:57 2023: Falco version: 0.36.2 (x86_64) Fri Dec 1 07:43:57 2023: Falco initialized with configuration file: /etc/falco/falco.yaml Falco version: 0.36.2 Libs version: 0.13.4 Plugin API: 3.1.0 Engine: 26 Driver: API version: 5.0.0 Schema version: 2.0.0 Default driver: 6.0.1+driver
System info:
{ "machine": "x86_64", "nodename": "cks-worker", "release": "5.4.0-105-generic", "sysname": "Linux", "version": "#119-Ubuntu SMP Mon Mar 7 18:49:24 UTC 2022" }
Cloud provider or hardware configuration: local VM with 4GB RAM
OS:
NAME="Ubuntu" VERSION="20.04.4 LTS (Focal Fossa)" ID=ubuntu ID_LIKE=debian PRETTY_NAME="Ubuntu 20.04.4 LTS" VERSION_ID="20.04" HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=focal UBUNTU_CODENAME=focal
Kernel:
Linux cks-worker 5.4.0-105-generic #119-Ubuntu SMP Mon Mar 7 18:49:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Installation method:
DEB Additional context
Not sure what I changed but the issue disappeared. So I'm closing this issue
Describe the bug
I configured and enabled k8saudit in
falco.yaml
and pointed my API Server to send logs to it but:These are my files:
kubeconfig:
audit-policy.yaml:
falco.yaml:
Meanwhile, this would work fine:
would be received successfully and trigger a rule so I know that Falco is properly configured and the API Server works fine as well. Here are the contents of
payload.json
:How to reproduce it
Refer to the above
Expected behaviour
It would work as expected and the CPU should not be so high
Environment
Falco version:
System info:
Cloud provider or hardware configuration: local VM with 4GB RAM
OS:
Kernel:
Installation method:
DEB Additional context