CODEWITHSUNDEEP
kubernetesfalco
Ajinkya16
Ajinkya16

Reputation: 335

Falco k8s audit plugin usage

I am using Azure AKS cluster. Have deployed the falco helm chart with the k8s-audit plugin. But I am not getting any events for k8s-audit in the falco log.Following is the falco configuration.



falco:
    falcoctl:
        artifact:
            install:
            # -- Enable the init container. We do not recommend installing plugins for security reasons since they are executable objects.
            # We install only "rulesfiles".
                enabled: true
            follow:
            # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules.
                enabled: true
        config:
            artifact:
                install:
                    # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
                    resolveDeps: false
                    # -- List of artifacts to be installed by the falcoctl init container.
                    # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
                    refs: [falco-rules:0, k8saudit-rules:0.5]
                follow:
                    # -- List of artifacts to be followed by the falcoctl sidecar container.
                    # We do not recommend installing (or following) plugins for security reasons since they are executable objects.
                    refs: [falco-rules:0, k8saudit-rules:0.5]
    services:
    - name: k8saudit-webhook
      type: NodePort
      ports:
      - port: 9765 # See plugin open_params
        nodePort: 30007
        protocol: TCP
    falco:
        rules_file:
            - /etc/falco/falco_rules.yaml
            - /etc/falco/k8s_audit_rules.yaml
        plugins:
        - name: k8saudit
          library_path: libk8saudit.so
          init_config:
            ""
            # maxEventBytes: 1048576
            # sslCertificate: /etc/falco/falco.pem
          open_params: "http://:9765/k8s-audit"
        - name: json
          library_path: libjson.so
          init_config: ""
        load_plugins: [k8saudit, json]

If we have to use webhook config file. How to use it in Cloud Kubernetes deployments.

Upvotes: 0

Views: 476

Answers (1)

Thomas Labarussias
Thomas Labarussias

Reputation: 26

Sadly, the k8saudit plugin doesn't work with managed K8s clusters like AKS, EKS or GKE. The cloud providers are catching the audit logs for their own usage (ie monitoring system). This is why we developed a specific to EKS plugin, and someone in the community is working on the GKE one. There was an attempt by a member to write an AKS plugin, but he has been laid off recently and can't work on it anymore.

Upvotes: 0

Related Questions