Falco: couldn't get in datasource k8s-audit in Falcosidekick UI after deploy falco with k8saudit plugin

Question

my test environment: kubernetes: 1.20.15 falco: 0.32.1 falco helm chart: falco-2.0.17

my deployment process.

1. deploy falco with helm, with k8saudit plugin

$helm repo add falcosecurity https://falcosecurity.github.io/charts
$helm install falco falcosecurity/falco --namespace falco -f ./falco-values-k8saudit.yaml \
  --set falco.grpc.enabled=true \
  --set falco.grpc_output.enabled=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageClass="rbd" \
  --set falcosidekick.webui.redis.storageSize="5Gi"

falco-value-k8saudit.yaml is identical to: https://github.com/falcosecurity/charts/blob/master/falco/values-k8saudit.yaml

$ kubectl get all -n falco
NAME                                          READY   STATUS    RESTARTS   AGE
pod/falco-774d78d77-bccdt                     1/1     Running   0          20m
pod/falco-falcosidekick-9957d4fcd-td4b4       1/1     Running   0          20m
pod/falco-falcosidekick-9957d4fcd-v5wxq       1/1     Running   0          20m
pod/falco-falcosidekick-ui-7d6b97856d-jjdcw   1/1     Running   2          20m
pod/falco-falcosidekick-ui-7d6b97856d-s5xj6   1/1     Running   1          20m
pod/falco-falcosidekick-ui-redis-0            1/1     Running   0          20m

NAME                                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/falco-falcosidekick            ClusterIP   10.104.198.200   <none>        2801/TCP         20m
service/falco-falcosidekick-ui         ClusterIP   10.109.144.99    <none>        2802/TCP         20m
service/falco-falcosidekick-ui-redis   ClusterIP   10.97.32.201     <none>        6379/TCP         20m
service/falco-k8saudit-webhook         NodePort    10.103.65.15     <none>        9765:30007/TCP   20m

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/falco                    1/1     1            1           20m
deployment.apps/falco-falcosidekick      2/2     2            2           20m
deployment.apps/falco-falcosidekick-ui   2/2     2            2           20m

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/falco-774d78d77                     1         1         1       20m
replicaset.apps/falco-falcosidekick-9957d4fcd       2         2         2       20m
replicaset.apps/falco-falcosidekick-ui-7d6b97856d   2         2         2       20m

NAME                                            READY   AGE
statefulset.apps/falco-falcosidekick-ui-redis   1/1     20m

2. create webhook config, refer to https://github.com/falcosecurity/evolution/blob/master/examples/k8s_audit_config/webhook-config.yaml.in

$cat falco-webhook-config.yaml
---
apiVersion: v1
kind: Config
clusters:
- name: falco
  cluster:
    server: http://10.103.65.15:8765/k8s-audit
contexts:
- context:
    cluster: falco
    user: ""
  name: default-context
current-context: default-context
preferences: {}
users: []

3. enable audit log and set the webhook config file in kube-apiserver.yaml

kubectl logs falco-774d78d77-bccdt -n falco
Wed Aug 10 05:47:20 2022: Falco version 0.32.1
Wed Aug 10 05:47:20 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Aug 10 05:47:20 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so
Wed Aug 10 05:47:20 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so
Wed Aug 10 05:47:20 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Wed Aug 10 05:47:20 2022: gRPC server threadiness equals to 4
Wed Aug 10 05:47:20 2022: Starting internal webserver, listening on port 8765
Wed Aug 10 05:47:20 2022: Starting gRPC server at unix:///var/run/falco/falco.sock

but I couldn't get any data in falcosidekick UI.

Questions:

1. Could anyone help to check did I miss anything?
2. Does falcosidekick UI support the k8saudit plugin?

Answer 1

In version 0.32.0, the Kubernetes Audit Events functionality became a plugin, so instead of receiving traffic through the Falco internal web server 8765, the plugin listens to events on a different port, the 9765 that you can see in the service falco-k8saudit-webhook shown above.

Thus, replacing the port to the 9765 in the falco-webhook-config.yaml configuration and restarting the API you should start seeing K8s events in Falco, and therefore also in Falcosidekick UI.