feat: Falco version upgrade

charts/kubezero-falco/README.md

@@ -0,0 +1,64 @@
+# kubezero-falco
+
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+Falco Container Security and Audit components
+
+**Homepage:** <https://kubezero.com>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Stefan Reimer | <stefan@zero-downtime.net> |  |
+
+## Requirements
+
+Kubernetes: `>= 1.26.0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
+| https://falcosecurity.github.io/charts | k8saudit(falco) | 4.2.5 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| k8saudit.collectors | object | `{"enabled":false}` | Disable the collectors, no syscall events to enrich with metadata. |
+| k8saudit.controller | object | `{"deployment":{"replicas":1},"kind":"deployment"}` | Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. |
+| k8saudit.controller.deployment.replicas | int | `1` | Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. For more info check the section on Plugins in the README.md file. |
+| k8saudit.driver | object | `{"enabled":false}` | Disable the drivers since we want to deploy only the k8saudit plugin. |
+| k8saudit.enabled | bool | `false` |  |
+| k8saudit.falco.buffered_outputs | bool | `true` |  |
+| k8saudit.falco.json_output | bool | `true` |  |
+| k8saudit.falco.load_plugins[0] | string | `"k8saudit"` |  |
+| k8saudit.falco.load_plugins[1] | string | `"json"` |  |
+| k8saudit.falco.log_syslog | bool | `false` |  |
+| k8saudit.falco.plugins[0].init_config.maxEventSize | int | `1048576` |  |
+| k8saudit.falco.plugins[0].library_path | string | `"libk8saudit.so"` |  |
+| k8saudit.falco.plugins[0].name | string | `"k8saudit"` |  |
+| k8saudit.falco.plugins[0].open_params | string | `"http://:9765/k8s-audit"` |  |
+| k8saudit.falco.plugins[1].init_config | string | `""` |  |
+| k8saudit.falco.plugins[1].library_path | string | `"libjson.so"` |  |
+| k8saudit.falco.plugins[1].name | string | `"json"` |  |
+| k8saudit.falco.rules_file[0] | string | `"/etc/falco/rules.d"` |  |
+| k8saudit.falco.syslog_output.enabled | bool | `false` |  |
+| k8saudit.falcoctl.artifact.follow.enabled | bool | `false` |  |
+| k8saudit.falcoctl.artifact.install.enabled | bool | `false` |  |
+| k8saudit.fullnameOverride | string | `"falco-k8saudit"` |  |
+| k8saudit.mounts.volumeMounts[0].mountPath | string | `"/etc/falco/rules.d"` |  |
+| k8saudit.mounts.volumeMounts[0].name | string | `"rules-volume"` |  |
+| k8saudit.mounts.volumes[0].configMap.name | string | `"falco-k8saudit-rules"` |  |
+| k8saudit.mounts.volumes[0].name | string | `"rules-volume"` |  |
+| k8saudit.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` |  |
+| k8saudit.resources.limits.cpu | string | `"1000m"` |  |
+| k8saudit.resources.limits.memory | string | `"512Mi"` |  |
+| k8saudit.resources.requests.cpu | string | `"100m"` |  |
+| k8saudit.resources.requests.memory | string | `"256Mi"` |  |
+| k8saudit.services[0].name | string | `"webhook"` |  |
+| k8saudit.services[0].ports[0].port | int | `9765` |  |
+| k8saudit.services[0].ports[0].protocol | string | `"TCP"` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/kubezero-falco/files/rules/k8s_audit_rules.yaml

@@ -20,10 +20,12 @@
 
 - required_plugin_versions:
   - name: k8saudit
-    version: 0.6.0
+    version: 0.7.0
     alternatives:
       - name: k8saudit-eks
-        version: 0.2.0
+        version: 0.4.0
+      - name: k8saudit-gke
+        version: 0.1.0
   - name: json
     version: 0.7.0
 
@@ -79,7 +81,45 @@
     "eks:vpc-resource-controller",
     "eks:addon-manager",
     ]
--
+
+- list: k8s_audit_sensitive_mount_images
+  items: [
+    falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
+    docker.io/sysdig/sysdig, sysdig/sysdig,
+    gcr.io/google_containers/hyperkube,
+    gcr.io/google_containers/kube-proxy, docker.io/calico/node,
+    docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
+    docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
+    docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
+    amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
+  ]
+
+- list: k8s_audit_privileged_images
+  items: [
+    falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
+    docker.io/calico/node, calico/node,
+    docker.io/cloudnativelabs/kube-router,
+    docker.io/docker/ucp-agent,
+    docker.io/mesosphere/mesos-slave,
+    docker.io/rook/toolbox,
+    docker.io/sysdig/sysdig,
+    gcr.io/google_containers/kube-proxy,
+    gcr.io/google-containers/startup-script,
+    gcr.io/projectcalico-org/node,
+    gke.gcr.io/kube-proxy,
+    gke.gcr.io/gke-metadata-server,
+    gke.gcr.io/netd-amd64,
+    gke.gcr.io/watcher-daemonset,
+    gcr.io/google-containers/prometheus-to-sd,
+    registry.k8s.io/ip-masq-agent-amd64,
+    registry.k8s.io/kube-proxy,
+    registry.k8s.io/prometheus-to-sd,
+    quay.io/calico/node,
+    sysdig/sysdig,
+    registry.k8s.io/dns/k8s-dns-node-cache,
+    mcr.microsoft.com/oss/kubernetes/kube-proxy
+  ]
+
 - rule: Disallowed K8s User
   desc: Detect any k8s operation by users outside of an allowed set of users.
   condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
@@ -166,7 +206,7 @@
 - rule: Create Privileged Pod
   desc: >
     Detect an attempt to start a pod with a privileged container
-  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
+  condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_privileged_images)
   output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -180,7 +220,7 @@
   desc: >
     Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
     Exceptions are made for known trusted images.
-  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
+  condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (k8s_audit_sensitive_mount_images)
   output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace resource=%ka.target.resource images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
   priority: WARNING
   source: k8s_audit
@@ -188,7 +228,7 @@
 
 # These container images are allowed to run with hostnetwork=true
 # TODO: Remove k8s.gcr.io reference after 01/Dec/2023
-- list: falco_hostnetwork_images
+- list: k8s_audit_hostnetwork_images
   items: [
     gcr.io/google-containers/prometheus-to-sd,
     gcr.io/projectcalico-org/typha,
@@ -196,8 +236,6 @@
     gke.gcr.io/gke-metadata-server,
     gke.gcr.io/kube-proxy,
     gke.gcr.io/netd-amd64,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/prometheus-to-sd,
     registry.k8s.io/ip-masq-agent-amd64,
     registry.k8s.io/prometheus-to-sd
   ]
@@ -205,29 +243,29 @@
 # Corresponds to K8s CIS Benchmark 1.7.4
 - rule: Create HostNetwork Pod
   desc: Detect an attempt to start a pod using the host network.
-  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
+  condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostnetwork_images)
   output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
 
-- list: falco_hostpid_images
+- list: k8s_audit_hostpid_images
   items: []
 
 - rule: Create HostPid Pod
   desc: Detect an attempt to start a pod using the host pid namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
+  condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostpid_images)
   output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
   tags: [k8s]
 
-- list: falco_hostipc_images
+- list: k8s_audit_hostipc_images
   items: []
 
 - rule: Create HostIPC Pod
   desc: Detect an attempt to start a pod using the host ipc namespace.
-  condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
+  condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostipc_images)
   output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
   priority: WARNING
   source: k8s_audit
@@ -298,6 +336,18 @@
   source: k8s_audit
   tags: [k8s]
 
+- macro: user_known_portforward_activities
+  condition: (k8s_audit_never_true)
+
+- rule: port-forward
+  desc: >
+    Detect any attempt to portforward
+  condition: ka.target.subresource in (portforward) and not user_known_portforward_activities
+  output: Portforward to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource )
+  priority: NOTICE
+  source: k8s_audit
+  tags: [k8s]
+
 - macro: user_known_pod_debug_activities
   condition: (k8s_audit_never_true)
 
@@ -344,19 +394,11 @@
     gke.gcr.io/addon-resizer,
     gke.gcr.io/heapster,
     gke.gcr.io/gke-metadata-server,
-    k8s.gcr.io/ip-masq-agent-amd64,
-    k8s.gcr.io/kube-apiserver,
     registry.k8s.io/ip-masq-agent-amd64,
     registry.k8s.io/kube-apiserver,
     gke.gcr.io/kube-proxy,
     gke.gcr.io/netd-amd64,
     gke.gcr.io/watcher-daemonset,
-    k8s.gcr.io/addon-resizer,
-    k8s.gcr.io/prometheus-to-sd,
-    k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
-    k8s.gcr.io/k8s-dns-kube-dns-amd64,
-    k8s.gcr.io/k8s-dns-sidecar-amd64,
-    k8s.gcr.io/metrics-server-amd64,
     registry.k8s.io/addon-resizer,
     registry.k8s.io/prometheus-to-sd,
     registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,

charts/kubezero-falco/values.yaml

@@ -15,9 +15,9 @@ k8saudit:
   resources:
     requests:
       cpu: 100m
-      memory: 256Mi
+      memory: 64Mi
     limits:
-      cpu: 1000m
+      cpu: 1
       memory: 512Mi
 
   nodeSelector:
@@ -43,10 +43,16 @@ k8saudit:
 
   falcoctl:
     artifact:
-      install:
-        enabled: false
       follow:
         enabled: false
+    # Since 0.37 the plugins are not part of the image anymore
+    # but we provide our rules static via our CM
+    config:
+      artifact:
+        allowedTypes:
+          - plugin
+        install:
+          refs: [k8saudit:0.7.0,json:0.7.2]
 
   services:
     - name: webhook

charts/kubezero/values.yaml

@@ -80,7 +80,7 @@ falco:
   enabled: false
   k8saudit:
     enabled: false
-  targetRevision: 0.1.0
+  targetRevision: 0.1.2
 
 telemetry:
   enabled: false