From b1d76ec3ddcb2638056b9f3c8cab7f03b83f9d1e Mon Sep 17 00:00:00 2001 From: Thomas Labarussias Date: Fri, 13 Sep 2024 17:50:57 +0200 Subject: [PATCH] use a smaller image for the tcpdump for a quicker cold start (pull) (#426) Signed-off-by: Thomas Labarussias --- actionners/kubernetes/tcpdump/tcpdump.go | 20 ++++++++++++++------ cmd/actionners.go | 8 ++++---- internal/kubernetes/client/client.go | 6 +++--- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/actionners/kubernetes/tcpdump/tcpdump.go b/actionners/kubernetes/tcpdump/tcpdump.go index 5607ba22..98ae7b0e 100644 --- a/actionners/kubernetes/tcpdump/tcpdump.go +++ b/actionners/kubernetes/tcpdump/tcpdump.go @@ -69,13 +69,16 @@ var ( ) type Parameters struct { - Duration int `mapstructure:"duration" validate:"gte=0"` - Snaplen int `mapstructure:"snaplen" validate:"gte=0"` + Image string `mapstructure:"image"` + Duration int `mapstructure:"duration" validate:"gte=0"` + Snaplen int `mapstructure:"snaplen" validate:"gte=0"` } const ( - baseName string = "falco-talon-tcpdump-" - defaultTTL int = 300 + baseName string = "falco-talon-tcpdump-" + defaultImage string = "issif/tcpdump:latest" + defaultTTL int = 300 + defaultDuration int = 5 ) type Actionner struct{} @@ -108,6 +111,7 @@ func (a Actionner) Parameters() models.Parameters { return Parameters{ Duration: 20, Snaplen: 4096, + Image: "issif/tcpdump:latest", } } @@ -135,7 +139,11 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine } if parameters.Duration == 0 { - parameters.Duration = 5 + parameters.Duration = defaultDuration + } + + if parameters.Image == "" { + parameters.Image = defaultImage } client := k8s.GetClient() @@ -153,7 +161,7 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine ephemeralContainerName := fmt.Sprintf("%v%v", baseName, uuid.NewString()[:5]) - err = client.CreateEphemeralContainer(pod, containers[0], ephemeralContainerName, defaultTTL) + err = client.CreateEphemeralContainer(pod, containers[0], ephemeralContainerName, parameters.Image, defaultTTL) if err != nil { return utils.LogLine{ Objects: objects, diff --git a/cmd/actionners.go b/cmd/actionners.go index d447dded..3603ae77 100644 --- a/cmd/actionners.go +++ b/cmd/actionners.go @@ -25,18 +25,18 @@ var actionnersListCmd = &cobra.Command{ Run: func(_ *cobra.Command, _ []string) { defaultActionners := actionners.ListDefaultActionners() type actionner struct { // nolint:govet + Parameters map[string]any `yaml:"parameters"` Name string `yaml:"name"` Category string `yaml:"category"` Description string `yaml:"description"` Source string `yaml:"source"` + Permissions string `yaml:"permissions,omitempty"` + Example string `yaml:"example,omitempty"` + RequiredOutputFields []string `yaml:"required_output_fields"` Continue bool `yaml:"continue"` UseContext bool `yaml:"use_context"` AllowOutput bool `yaml:"allow_output"` RequireOutput bool `yaml:"require_output"` - RequiredOutputFields []string `yaml:"required_output_fields"` - Parameters map[string]any `yaml:"parameters"` - Permissions string `yaml:"permissions,omitempty"` - Example string `yaml:"example,omitempty"` } for _, i := range *defaultActionners { diff --git a/internal/kubernetes/client/client.go b/internal/kubernetes/client/client.go index a5bfb365..3184bce9 100644 --- a/internal/kubernetes/client/client.go +++ b/internal/kubernetes/client/client.go @@ -448,12 +448,12 @@ func GetHealthyReplicasPercent(replicaset *appsv1.ReplicaSet) (int64, error) { return 100 * (healthyReplicas / totalReplicas), nil } -func (client *Client) CreateEphemeralContainer(pod *corev1.Pod, container, name string, ttl int) error { +func (client *Client) CreateEphemeralContainer(pod *corev1.Pod, container, name, image string, ttl int) error { ec := &corev1.EphemeralContainer{ EphemeralContainerCommon: corev1.EphemeralContainerCommon{ Name: name, - Image: "dockersec/tcpdump", - ImagePullPolicy: corev1.PullIfNotPresent, + Image: image, + ImagePullPolicy: corev1.PullAlways, Command: []string{"sleep", fmt.Sprintf("%v", ttl)}, Stdin: true, TTY: false,