Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

falco-addon #1922

Closed
wants to merge 9 commits into from
Closed

falco-addon #1922

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
1888c46
wqchanged audit file location
balasu Jan 21, 2021
e4f64c6
changed files based on suggestions
balasu Jan 28, 2021
f550741
formatted file
balasu Jan 28, 2021
e29abf0
changed files based on suggestions
balasu Jan 28, 2021
66660ec
changed ingress yaml in test templates
balasu Jan 28, 2021
56e09af
added test-addons.py
balasu Jan 28, 2021
e403fcb
changed test-addons.py
balasu Jan 28, 2021
5486136
changed test-addons.py
balasu Jan 28, 2021
3aac46c
using falco namespace & argument can be passed while enabling falco
balasu Feb 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions microk8s-resources/actions/disable.falco.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#!/usr/bin/env bash

set -e

source $SNAP/actions/common/utils.sh
NAMESPACE_PTR1="falco"
#microk8s helm3 uninstall -n "$NAMESPACE_PTR1" falcosidekick

microk8s helm3 uninstall -n "$NAMESPACE_PTR1" falco

NAMESPACE_PTR="sysdig-agent"

MANIFEST_PTR="https://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/kubernetes/sysdig-agent-service.yaml"

KUBECTL="$SNAP/kubectl --kubeconfig=${SNAP_DATA}/credentials/client.config"

KUBECTL_DELETE_ARGS="--wait=true --timeout=180s --ignore-not-found=true"

echo "Disabling sysdig-agent"

# unload the the manifests
$KUBECTL delete $KUBECTL_DELETE_ARGS -n $NAMESPACE_PTR -f "$MANIFEST_PTR" > /dev/null 2>&1

# delete the "sysdigagent" namespace
$KUBECTL delete $KUBECTL_DELETE_ARGS namespace "$NAMESPACE_PTR" > /dev/null 2>&1 || true

echo "sysdigagent is disabled"

# delete the "falco" namespace
$KUBECTL delete $KUBECTL_DELETE_ARGS namespace "$NAMESPACE_PTR1" > /dev/null 2>&1 || true


skip_opt_in_config "audit-log-maxbackup" kube-apiserver
skip_opt_in_config "audit-log-maxsize" kube-apiserver
skip_opt_in_config "audit-log-maxage" kube-apiserver
skip_opt_in_config "audit-policy-file" kube-apiserver
skip_opt_in_config "audit-log-path" kube-apiserver
skip_opt_in_config "audit-webhook-config-file" kube-apiserver
skip_opt_in_config "audit-webhook-batch-max-wait" kube-apiserver
rm -rf "${SNAP_DATA}/args/auditlogging"

restart_service apiserver
apiserver=$(wait_for_service apiserver)
if [[ $apiserver == fail ]]
then
echo "Kubeapiserver did not start on time. Proceeding."
fi
sleep 15
echo "Falco is disabled"

64 changes: 64 additions & 0 deletions microk8s-resources/actions/enable.falco.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
#!/usr/bin/env bash

set -e

source $SNAP/actions/common/utils.sh

microk8s enable dns

NAMESPACE_PTR="sysdig-agent"

MANIFEST_PTR="https://raw.githubusercontent.com/draios/sysdig-cloud-scripts/master/agent_deploy/kubernetes/sysdig-agent-service.yaml"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think getting the manifest from the master will be a problem.

  • Are you certain the master will always work? It is not a release so there might be a commit that temporarily breaks the master causing microk8s.enable falco to fail.
  • It makes it really hard for us to have reproducible deployments. Let's say someone opens a issue saying 'falco did not work for me', how would you know what did the user deploy?
  • You pair a manifest with the default values that lives in the snap with the manifests in the master branch. How can you be sure that the default values manifest will stay exactly the same as falco evolves?
  • Are you sure that the falco master branch will deploy correctly on kubernetes v1.21 after 2 year? I am not.

Please select a specific release to deploy from https://github.com/falcosecurity/falco/releases


KUBECTL="$SNAP/kubectl --kubeconfig=${SNAP_DATA}/credentials/client.config"

microk8s enable helm3

# make sure the "sysdigagent" namespace exists
$KUBECTL create namespace "$NAMESPACE_PTR" > /dev/null 2>&1 || true

# load the CRD and wait for it to be installed
$KUBECTL apply -f "$MANIFEST_PTR" -n "$NAMESPACE_PTR"

echo "Enabling Auditlogging using webhook"
mkdir -p "${SNAP_DATA}/args/auditlogging" >/dev/null 2>&1
cp "${SNAP}/actions/kube-api-audit.yaml" "${SNAP_DATA}/args/auditlogging"
cp "${SNAP}/actions/webhook-config.yaml" "${SNAP_DATA}/args/auditlogging"
echo "Reconfiguring apiserver"
refresh_opt_in_config "audit-log-maxbackup" "3" kube-apiserver
refresh_opt_in_config "audit-log-maxsize" "1024" kube-apiserver
refresh_opt_in_config "audit-log-maxage" "30" kube-apiserver
refresh_opt_in_config "audit-log-path" "/var/log/kube-apiserver-audit.log" kube-apiserver
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's not polute the host filesystem. Should we keep the MicroK8s logs under SNAP_COMON.

refresh_opt_in_config "audit-policy-file" "${SNAP_DATA}/args/auditlogging/kube-api-audit.yaml" kube-apiserver
refresh_opt_in_config "audit-webhook-config-file" "${SNAP_DATA}/args/auditlogging/webhook-config-falco.yaml" kube-apiserver
refresh_opt_in_config "audit-webhook-batch-max-wait" "5s" kube-apiserver
AGENT_SERVICE_CLUSTERIP="$($KUBECTL get svc sysdig-agent -o=jsonpath={.spec.clusterIP} -n sysdig-agent)" envsubst < "${SNAP_DATA}/args/auditlogging/webhook-config.yaml" > "${SNAP_DATA}/args/auditlogging/webhook-config-falco.yaml"
#run_with_sudo preserve_env snapctl restart "${SNAP_NAME}.daemon-apiserver"
restart_service apiserver

start_timer="$(date +%s)"
timeout="120"

while ! (is_apiserver_ready)
do
sleep 5
now="$(date +%s)"
if [[ "$now" > "$(($start_timer + $timeout))" ]] ; then
break
fi
done

echo "Auditlogging is enabled"

NAMESPACE_PTR1="falco"
# make sure the "falco" namespace exists
$KUBECTL create namespace "$NAMESPACE_PTR1" > /dev/null 2>&1 || true

microk8s helm3 repo add falcosecurity https://falcosecurity.github.io/charts
microk8s helm3 repo update
#microk8s helm3 install -n "$NAMESPACE_PTR1" falco --set falco.jsonOutput=true --set falco.jsonIncludeOutputProperty=true --set falco.httpOutput.enabled=true --set falco.httpOutput.url="http://falcosidekick:2801/" falcosecurity/falco
microk8s helm3 install falco falcosecurity/falco -n "$NAMESPACE_PTR1" --set falco.jsonOutput=true --set falco.jsonIncludeOutputProperty=true --set falco.httpOut.enabled=true --set falcosidekick.enabled=true --set falcosidekick.config.debug=true $@
sleep 15
echo "Falco is enabled"
#microk8s helm3 install -n "$NAMESPACE_PTR1" falcosidekick --set config.debug=true $@ falcosecurity/falcosidekick
echo "Falcosidekick is enabled"
69 changes: 69 additions & 0 deletions microk8s-resources/actions/kube-api-audit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
apiVersion: audit.k8s.io/v1 # This is required.
Copy link
Member

@ktsakalozos ktsakalozos Apr 2, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do not place yaml files under actions because they are considered addons. In this case for example you have created a microk8s enable kube-api-audit addon.

What you should do is to create a falco directory under actions and put all your yamls inside there.

kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]

# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]

# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]

# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"

# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]

# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]

# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.

# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"

Loading