Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rules of k8saudit-eks plugin use lists defined in falco_rules.yaml, not possible to overwrite #473

Open
jtl-novatec opened this issue Apr 19, 2024 · 4 comments
Open

rules of k8saudit-eks plugin use lists defined in falco_rules.yaml, not possible to overwrite #473

jtl-novatec opened this issue Apr 19, 2024 · 4 comments
Labels
kind/bug Something isn't working

Comments

@jtl-novatec
Copy link

jtl-novatec commented Apr 19, 2024
edited
Loading

Describe the bug

When I looked at the k8s_audit_rules.yaml of my falco deployment (uses the k8saudit-eks plugin), I noticed that there are rules that use variables which aren't defined anywhere. For example:

  • falco_privileged_images -> only exists inside falco_rules.yaml
  • falco_sensitive_mount_images -> doesn't get defined anywhere (there is only a comment about it in falco_rules.yaml)

The rules_file example of the plugin's documentation suggest that you don't mount falco_rules.yaml in the deployment.
Therefore, users cannot specify an overwrite to append items to that list.

Expected behaviour

The following commit seems to related to this problem as it tries to introduce / rename lists from falco_ to k8s_audit_.
The current version of the rules files already addresses this problem (see).
However, it looks like the k8saudit-eks plugin hasn't been updated accordingly.

Environment

Kubernetes via Helm Chart falco-4.3.0
@jtl-novatec jtl-novatec added the kind/bug Something isn't working label Apr 19, 2024
@sboschman
Copy link
Contributor

Hopefully #468 fixes this as well, as this seems to be related to the standard k8saudit rules.

@jtl-novatec
Copy link
Author

plugins/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go

Line 66 in 4494313

Version: "0.4.0",

The EKS audit plugin has a similar version property, does this have to be bumped as well?

@sboschman
Copy link
Contributor

I don't think so, as the k8saudit-eks plugin itself defines no rules. It uses the default k8saudit rules (from the k8saudit plugin).

falcosecurity	k8saudit              	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit
falcosecurity	k8saudit-eks          	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit-eks
falcosecurity	k8saudit-gke          	plugin   	ghcr.io 	falcosecurity/plugins/plugin/k8saudit-gke
falcosecurity	k8saudit-gke-rules    	rulesfile	ghcr.io 	falcosecurity/plugins/ruleset/k8saudit-gke
falcosecurity	k8saudit-rules        	rulesfile	ghcr.io 	falcosecurity/plugins/ruleset/k8saudit

@Issif
Copy link
Member

Issif commented Apr 24, 2024

Exactly, the k8saudit-eks plugin relies on the k8saudit-rules. By installing the latest version, it should be ok thanks to @sboschman.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sboschman @Issif @jtl-novatec