Missing container and k8s details except container.id in case of least privileged falco #3256
Comments
|
@LucaGuerra @Andreagit97 re implications of running Falco as least privileged, could you help? |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Similar experience when deploying in GKE in least privilege mode, when disabled all those detection, where k8s.pod.name and k8s.ns.name are set to null, dissapear. Using latest falco helm chart 4.8.3 |
|
/remove-lifecycle stale |
|
Do you confirm it works as expected with fully privileged mode? It might be just a permission issue on the container socket. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Is this still an issue with the latest Falco and Helm chart versions? May this problem be related to the issue addressed by falcosecurity/charts#769 (more context in this comment? 🤔 |
Hello Falco team,
During evaluating Falco on different managed k8s clusters, my team and I observed some unexpected behaviour.
Describe the bug
On AKS k8s cluster, generated alerts are randomly fulfilled with container and k8s information. Only
container.idis listed, but details regarding container's name, image and k8s pod's name, namespace are missing.The behaviour is not related to k8s namespace where target k8s pod is running, but most often the above mentioned details are missing for some containers deployed in
kube-systemnamespace.How to reproduce it
kube-proxy-*in k8s namespacekube-systemcontainer.name,container.image.repository,k8s.pod.name,k8s.ns.nameare set tonull.{ "hostname": "aks-lhxynh188x-14626312-vmss000014", "output": "09:58:35.578767314: Notice A shell was spawned in a container with an attached terminal ...", ... "output_fields": { "container.id": "446c7dbbeac8", "container.image.repository": null, "container.image.tag": null, "container.name": null, "evt.arg.flags": "EXE_WRITABLE", "evt.time": 1718877515578767314, "evt.type": "execve", "k8s.ns.name": null, "k8s.pod.name": null, "proc.cmdline": "sh", "proc.exepath": "/bin/dash", "proc.name": "sh", "proc.pname": "runc", "proc.tty": 34816, "user.loginuid": -1, "user.name": "root", "user.uid": 0 } }crictlto check if container runtime socket could provide the container and k8s related information.curlby runningapk add curlcrictlby following the instruction to install-crictlcrictl -r /host/run/containerd/containerd.sock inspect {container.id}, replace the {container.id} placeholder with a valid container's identifier.crictl inspectcommand in evidences section below.Expected behaviour
All container and k8s related information should be reflected in the alert generated by Falco rule to guarantee the accurate traceability of affected k8s pods and containers.
Evidences
{ "hostname": "aks-lhxynh188x-14626312-vmss000014", "output": "09:58:35.578767314: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/dash parent=runc command=sh terminal=34816 exe_flags=EXE_WRITABLE container_id=446c7dbbeac8 container_image=<NA> container_image_tag=<NA> container_name=<NA> k8s_ns=<NA> k8s_pod_name=<NA>)", "priority": "Notice", "rule": "Terminal shell in container", "source": "syscall", "tags": [ "T1059", "container", "maturity_stable", "mitre_execution", "shell" ], "time": "2024-06-20T09:58:35.578767314Z", "output_fields": { "container.id": "446c7dbbeac8", "container.image.repository": null, "container.image.tag": null, "container.name": null, "evt.arg.flags": "EXE_WRITABLE", "evt.time": 1718877515578767314, "evt.type": "execve", "k8s.ns.name": null, "k8s.pod.name": null, "proc.cmdline": "sh", "proc.exepath": "/bin/dash", "proc.name": "sh", "proc.pname": "runc", "proc.tty": 34816, "user.loginuid": -1, "user.name": "root", "user.uid": 0 } }{ "hostname": "aks-lhxynh188x-14626312-vmss000014", "output": "10:48:02.779453149: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=<NA> ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=cat proc_exepath=/bin/cat parent=sh command=cat /etc/shadow terminal=34816 container_id=446c7dbbeac8 container_image=<NA> container_image_tag=<NA> container_name=<NA> k8s_ns=<NA> k8s_pod_name=<NA>)", "priority": "Warning", "rule": "Read sensitive file untrusted", "source": "syscall", "tags": [ "T1555", "container", "filesystem", "host", "maturity_stable", "mitre_credential_access" ], "time": "2024-06-20T10:48:02.779453149Z", "output_fields": { "container.id": "446c7dbbeac8", "container.image.repository": null, "container.image.tag": null, "container.name": null, "evt.time": 1718880482779453149, "evt.type": "openat", "fd.name": "/etc/shadow", "k8s.ns.name": null, "k8s.pod.name": null, "proc.aname[2]": null, "proc.aname[3]": null, "proc.aname[4]": null, "proc.cmdline": "cat /etc/shadow", "proc.exepath": "/bin/cat", "proc.name": "cat", "proc.pname": "sh", "proc.tty": 34816, "user.loginuid": -1, "user.name": "root", "user.uid": 0 } }Environment
Falco deployed on AKS cluster using Falco Helm Chart version 4.4.2.
Falco version:
Falco version: 0.38.0 (x86_64)
System info:
{ "machine": "x86_64", "nodename": "falco-8b7db", "release": "5.15.0-1064-azure", "sysname": "Linux", "version": "#73-Ubuntu SMP Tue Apr 30 14:24:24 UTC 2024" }Linux falco-8b7db 5.15.0-1064-azure #73-Ubuntu SMP Tue Apr 30 14:24:24 UTC 2024 x86_64 GNU/LinuxDeploy to k8s cluster as DaemonSet by using Helm Chart version 4.4.2 using the custom values YAML file
The text was updated successfully, but these errors were encountered: