falcoctl registry push: Add support for AWS ECR

[rtalipov]

What would you like to be added:
While basic auth with AWS ECR is working fine, I am not able to push OCI artifacts to the registry.

The following error is generated for put action:

response status code 405: unsupported: Invalid parameter at 'ImageManifest' failed to satisfy constraint: 'Invalid JSON syntax'

There are ECR constraints like mediaType that currently do not allow falcoctl to push an OCI artifact.

Why is this needed:
Add support for for falcoctl to manage custom falco rules in ECR registry

[CarpathianUA]

I also interested in this!

[alacuku]

I'll work on it in the coming weeks!

[CarpathianUA]

While we're waiting on a next release of falcoctl with ECR support, here is a temp. workaround on how to handle this (in k8s environment):

Latest release of Falco Helm chart provides an ability to set additional volume mounts for falcoctl-install and falcoctl-follow containers. So I handled that with two additional init containers to generate docker config and add docker-credential-ecr-login binary to work with credentials store.

Example:

...
            extra:
              initContainers:
                - name: ecr-login
                  image: amazon/aws-cli:2.13.0
                  command: ["/bin/sh", "-c"]
                  args:
                    - |
                      token=$(aws ecr get-login-password --region us-east-1)
                      mkdir -p /root/.docker
                      echo -n '{"credsStore": "ecr-login", "auths": {"<REDACTED>.dkr.ecr.us-east-1.amazonaws.com": {"username": "AWS", "password": "'"$token"'", "email": "none"}}}' > /root/.docker/config.json
                  volumeMounts:
                    - name: docker-config
                      mountPath: /root/.docker
                - name: docker-credential-ecr-binary
                  image: alpine:3.18
                  command: ["/bin/sh", "-c"]
                  args:
                    - |
                      apk update
                      apk add --no-cache curl
                      ARCH=$(uname -m)
                      VERSION="0.7.1"
                      if [ "$ARCH" = "aarch64" ]; then
                        URL="https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${VERSION}/linux-arm64/docker-credential-ecr-login"
                      else
                        URL="https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${VERSION}/linux-amd64/docker-credential-ecr-login"
                      fi
                      curl -so /mnt/shared-data/docker-credential-ecr-login "${URL}"
                      chmod +x /mnt/shared-data/docker-credential-ecr-login
                  volumeMounts:
                    - name: shared-data
                      mountPath: /mnt/shared-data
 ...
            mounts:
              # A list of volumes to add to the Falco pods.
              volumes:
                - name: docker-config
                  emptyDir: {}
                - name: shared-data
                  emptyDir: {}
              volumeMounts:
                - name: docker-config
                  mountPath: /root/.docker

Now we can pass generated docker config and docker-credential-ecr-login binary to falcoctl-install and falcoctl-follow containers, and provide our custom OCI artifact image for them (with a default out-of-the-box Falco rules as well):

            falcoctl:
              artifact:
                follow:
                  mounts:
                    volumeMounts:
                      - name: docker-config
                        mountPath: /root/.docker
                      - name: shared-data
                        mountPath: /usr/local/bin/docker-credential-ecr-login
                        subPath: docker-credential-ecr-login
                  env:
                    - name: PATH
                      value: /usr/local/bin:/mnt/shared-data
                install:
                  mounts:
                    volumeMounts:
                      - name: docker-config
                        mountPath: /root/.docker
                      - name: shared-data
                        mountPath: /usr/local/bin/docker-credential-ecr-login
                        subPath: docker-credential-ecr-login
                  env:
                    - name: PATH
                      value: /usr/local/bin:/mnt/shared-data
               config:
                artifact:
                  install:
                    refs:
                      - falco-rules:1
                      - <REDACTED>.dkr.ecr.us-east-1.amazonaws.com/falco-rules:master
                  follow:
                    refs:
                      - falco-rules:1
                      - <REDACTED>.dkr.ecr.us-east-1.amazonaws.com/falco-rules:master
                    every: 5m

To create and package OCI artifact I use oras tool. Example:

1. create a tar archive with your custom rules:

tar -czf custom_falco_rules.tar.gz custom_falco_rules.yaml

2. Push them to ECR:

oras push <REDACTED>.dkr.ecr.us-east-1.amazonaws.com/falco-rules:master custom_falco_rules.tar.gz:application/vnd.cncf.falco.rulesfile.layer.v1+tar.gz

Now we can install and follow the artifact changes from within falcoctl-install and falcoctl-follow containers:

INFO: Installing the following artifacts: [ghcr.io/falcosecurity/rules/falco-rules:1 <REDACTED>.dkr.ecr.us-east-1.amazonaws.com/falco-rules:master]
INFO: Preparing to pull "ghcr.io/falcosecurity/rules/falco-rules:1"
INFO: Retrieving credentials from local store
INFO: proceeding with empty credentials for registry "ghcr.io"
INFO: Pulling 0ebd09df278e
INFO: Pulling 2348d43196bb
INFO: Pulling 7c5a9073b37f
INFO: Extracting and installing "rulesfile" "falco_rules.yaml.tar.gz"           
INFO: Artifact successfully installed in "/rulesfiles"                          
INFO: Preparing to pull "<REDACTED>.dkr.ecr.us-east-1.amazonaws.com/falco-rules:master"
INFO: Retrieving credentials from local store
INFO: found basic credentials for registry "<REDACTED>.dkr.ecr.us-east-1.amazonaws.com"
INFO: Pulling 44136fa355b3
INFO: Pulling b698a4f905ee
INFO: Pulling 3a77907180e1
INFO: Extracting and installing "rulesfile" "custom_falco_rules.tar.gz"         
INFO: Artifact successfully installed in "/rulesfiles"

[CarpathianUA]

@alacuku Regarding falcoctl ECR support functionality - it will be great if there will be a possibility to automatically check and refresh access token during interaction with https://github.com/awslabs/amazon-ecr-credential-helper

[alacuku]

It's easy to support the refresh token for ECR. @max-frank had done a great job with this PR #299. The idea was to make easy-to-implement cases like yours. This PR #288 added support for workload identity in GKE, it's very similar to what you need.
It would be a significant contribution to falcoctl.

[CarpathianUA]

Thanks for clarification @alacuku ! We're waiting for a next release of falcoctl with a full ECR support :)

[alacuku]

Hey @rtalipov, @CarpathianUA, here's the fix #310. Could you please try it out?

[rtalipov]

I was able to successfully push the custom rules file to ECR repository

[alacuku]

Please feel free to close this issue.