use a smaller image for the tcpdump for a quicker cold start (pull) (#…

…426)

Signed-off-by: Thomas Labarussias <[email protected]>

actionners/kubernetes/tcpdump/tcpdump.go

@@ -69,13 +69,16 @@ var (
 )
 
 type Parameters struct {
-	Duration int `mapstructure:"duration" validate:"gte=0"`
-	Snaplen  int `mapstructure:"snaplen" validate:"gte=0"`
+	Image    string `mapstructure:"image"`
+	Duration int    `mapstructure:"duration" validate:"gte=0"`
+	Snaplen  int    `mapstructure:"snaplen" validate:"gte=0"`
 }
 
 const (
-	baseName   string = "falco-talon-tcpdump-"
-	defaultTTL int    = 300
+	baseName        string = "falco-talon-tcpdump-"
+	defaultImage    string = "issif/tcpdump:latest"
+	defaultTTL      int    = 300
+	defaultDuration int    = 5
 )
 
 type Actionner struct{}
@@ -108,6 +111,7 @@ func (a Actionner) Parameters() models.Parameters {
 	return Parameters{
 		Duration: 20,
 		Snaplen:  4096,
+		Image:    "issif/tcpdump:latest",
 	}
 }
 
@@ -135,7 +139,11 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine
 	}
 
 	if parameters.Duration == 0 {
-		parameters.Duration = 5
+		parameters.Duration = defaultDuration
+	}
+
+	if parameters.Image == "" {
+		parameters.Image = defaultImage
 	}
 
 	client := k8s.GetClient()
@@ -153,7 +161,7 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine
 
 	ephemeralContainerName := fmt.Sprintf("%v%v", baseName, uuid.NewString()[:5])
 
-	err = client.CreateEphemeralContainer(pod, containers[0], ephemeralContainerName, defaultTTL)
+	err = client.CreateEphemeralContainer(pod, containers[0], ephemeralContainerName, parameters.Image, defaultTTL)
 	if err != nil {
 		return utils.LogLine{
 			Objects: objects,

cmd/actionners.go

@@ -25,18 +25,18 @@ var actionnersListCmd = &cobra.Command{
 	Run: func(_ *cobra.Command, _ []string) {
 		defaultActionners := actionners.ListDefaultActionners()
 		type actionner struct { // nolint:govet
+			Parameters           map[string]any `yaml:"parameters"`
 			Name                 string         `yaml:"name"`
 			Category             string         `yaml:"category"`
 			Description          string         `yaml:"description"`
 			Source               string         `yaml:"source"`
+			Permissions          string         `yaml:"permissions,omitempty"`
+			Example              string         `yaml:"example,omitempty"`
+			RequiredOutputFields []string       `yaml:"required_output_fields"`
 			Continue             bool           `yaml:"continue"`
 			UseContext           bool           `yaml:"use_context"`
 			AllowOutput          bool           `yaml:"allow_output"`
 			RequireOutput        bool           `yaml:"require_output"`
-			RequiredOutputFields []string       `yaml:"required_output_fields"`
-			Parameters           map[string]any `yaml:"parameters"`
-			Permissions          string         `yaml:"permissions,omitempty"`
-			Example              string         `yaml:"example,omitempty"`
 		}
 
 		for _, i := range *defaultActionners {

internal/kubernetes/client/client.go

@@ -448,12 +448,12 @@ func GetHealthyReplicasPercent(replicaset *appsv1.ReplicaSet) (int64, error) {
 	return 100 * (healthyReplicas / totalReplicas), nil
 }
 
-func (client *Client) CreateEphemeralContainer(pod *corev1.Pod, container, name string, ttl int) error {
+func (client *Client) CreateEphemeralContainer(pod *corev1.Pod, container, name, image string, ttl int) error {
 	ec := &corev1.EphemeralContainer{
 		EphemeralContainerCommon: corev1.EphemeralContainerCommon{
 			Name:                     name,
-			Image:                    "dockersec/tcpdump",
-			ImagePullPolicy:          corev1.PullIfNotPresent,
+			Image:                    image,
+			ImagePullPolicy:          corev1.PullAlways,
 			Command:                  []string{"sleep", fmt.Sprintf("%v", ttl)},
 			Stdin:                    true,
 			TTY:                      false,