feat: Falco version upgrade
This commit is contained in:
parent
6323508a53
commit
0ad55148de
64
charts/kubezero-falco/README.md
Normal file
64
charts/kubezero-falco/README.md
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# kubezero-falco
|
||||||
|
|
||||||
|
![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
|
||||||
|
|
||||||
|
Falco Container Security and Audit components
|
||||||
|
|
||||||
|
**Homepage:** <https://kubezero.com>
|
||||||
|
|
||||||
|
## Maintainers
|
||||||
|
|
||||||
|
| Name | Email | Url |
|
||||||
|
| ---- | ------ | --- |
|
||||||
|
| Stefan Reimer | <stefan@zero-downtime.net> | |
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
Kubernetes: `>= 1.26.0`
|
||||||
|
|
||||||
|
| Repository | Name | Version |
|
||||||
|
|------------|------|---------|
|
||||||
|
| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
|
||||||
|
| https://falcosecurity.github.io/charts | k8saudit(falco) | 4.2.5 |
|
||||||
|
|
||||||
|
## Values
|
||||||
|
|
||||||
|
| Key | Type | Default | Description |
|
||||||
|
|-----|------|---------|-------------|
|
||||||
|
| k8saudit.collectors | object | `{"enabled":false}` | Disable the collectors, no syscall events to enrich with metadata. |
|
||||||
|
| k8saudit.controller | object | `{"deployment":{"replicas":1},"kind":"deployment"}` | Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. |
|
||||||
|
| k8saudit.controller.deployment.replicas | int | `1` | Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. For more info check the section on Plugins in the README.md file. |
|
||||||
|
| k8saudit.driver | object | `{"enabled":false}` | Disable the drivers since we want to deploy only the k8saudit plugin. |
|
||||||
|
| k8saudit.enabled | bool | `false` | |
|
||||||
|
| k8saudit.falco.buffered_outputs | bool | `true` | |
|
||||||
|
| k8saudit.falco.json_output | bool | `true` | |
|
||||||
|
| k8saudit.falco.load_plugins[0] | string | `"k8saudit"` | |
|
||||||
|
| k8saudit.falco.load_plugins[1] | string | `"json"` | |
|
||||||
|
| k8saudit.falco.log_syslog | bool | `false` | |
|
||||||
|
| k8saudit.falco.plugins[0].init_config.maxEventSize | int | `1048576` | |
|
||||||
|
| k8saudit.falco.plugins[0].library_path | string | `"libk8saudit.so"` | |
|
||||||
|
| k8saudit.falco.plugins[0].name | string | `"k8saudit"` | |
|
||||||
|
| k8saudit.falco.plugins[0].open_params | string | `"http://:9765/k8s-audit"` | |
|
||||||
|
| k8saudit.falco.plugins[1].init_config | string | `""` | |
|
||||||
|
| k8saudit.falco.plugins[1].library_path | string | `"libjson.so"` | |
|
||||||
|
| k8saudit.falco.plugins[1].name | string | `"json"` | |
|
||||||
|
| k8saudit.falco.rules_file[0] | string | `"/etc/falco/rules.d"` | |
|
||||||
|
| k8saudit.falco.syslog_output.enabled | bool | `false` | |
|
||||||
|
| k8saudit.falcoctl.artifact.follow.enabled | bool | `false` | |
|
||||||
|
| k8saudit.falcoctl.artifact.install.enabled | bool | `false` | |
|
||||||
|
| k8saudit.fullnameOverride | string | `"falco-k8saudit"` | |
|
||||||
|
| k8saudit.mounts.volumeMounts[0].mountPath | string | `"/etc/falco/rules.d"` | |
|
||||||
|
| k8saudit.mounts.volumeMounts[0].name | string | `"rules-volume"` | |
|
||||||
|
| k8saudit.mounts.volumes[0].configMap.name | string | `"falco-k8saudit-rules"` | |
|
||||||
|
| k8saudit.mounts.volumes[0].name | string | `"rules-volume"` | |
|
||||||
|
| k8saudit.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | |
|
||||||
|
| k8saudit.resources.limits.cpu | string | `"1000m"` | |
|
||||||
|
| k8saudit.resources.limits.memory | string | `"512Mi"` | |
|
||||||
|
| k8saudit.resources.requests.cpu | string | `"100m"` | |
|
||||||
|
| k8saudit.resources.requests.memory | string | `"256Mi"` | |
|
||||||
|
| k8saudit.services[0].name | string | `"webhook"` | |
|
||||||
|
| k8saudit.services[0].ports[0].port | int | `9765` | |
|
||||||
|
| k8saudit.services[0].ports[0].protocol | string | `"TCP"` | |
|
||||||
|
|
||||||
|
----------------------------------------------
|
||||||
|
Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
|
@ -20,10 +20,12 @@
|
|||||||
|
|
||||||
- required_plugin_versions:
|
- required_plugin_versions:
|
||||||
- name: k8saudit
|
- name: k8saudit
|
||||||
version: 0.6.0
|
version: 0.7.0
|
||||||
alternatives:
|
alternatives:
|
||||||
- name: k8saudit-eks
|
- name: k8saudit-eks
|
||||||
version: 0.2.0
|
version: 0.4.0
|
||||||
|
- name: k8saudit-gke
|
||||||
|
version: 0.1.0
|
||||||
- name: json
|
- name: json
|
||||||
version: 0.7.0
|
version: 0.7.0
|
||||||
|
|
||||||
@ -79,7 +81,45 @@
|
|||||||
"eks:vpc-resource-controller",
|
"eks:vpc-resource-controller",
|
||||||
"eks:addon-manager",
|
"eks:addon-manager",
|
||||||
]
|
]
|
||||||
-
|
|
||||||
|
- list: k8s_audit_sensitive_mount_images
|
||||||
|
items: [
|
||||||
|
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
|
||||||
|
docker.io/sysdig/sysdig, sysdig/sysdig,
|
||||||
|
gcr.io/google_containers/hyperkube,
|
||||||
|
gcr.io/google_containers/kube-proxy, docker.io/calico/node,
|
||||||
|
docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul,
|
||||||
|
docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout,
|
||||||
|
docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter,
|
||||||
|
amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent
|
||||||
|
]
|
||||||
|
|
||||||
|
- list: k8s_audit_privileged_images
|
||||||
|
items: [
|
||||||
|
falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco,
|
||||||
|
docker.io/calico/node, calico/node,
|
||||||
|
docker.io/cloudnativelabs/kube-router,
|
||||||
|
docker.io/docker/ucp-agent,
|
||||||
|
docker.io/mesosphere/mesos-slave,
|
||||||
|
docker.io/rook/toolbox,
|
||||||
|
docker.io/sysdig/sysdig,
|
||||||
|
gcr.io/google_containers/kube-proxy,
|
||||||
|
gcr.io/google-containers/startup-script,
|
||||||
|
gcr.io/projectcalico-org/node,
|
||||||
|
gke.gcr.io/kube-proxy,
|
||||||
|
gke.gcr.io/gke-metadata-server,
|
||||||
|
gke.gcr.io/netd-amd64,
|
||||||
|
gke.gcr.io/watcher-daemonset,
|
||||||
|
gcr.io/google-containers/prometheus-to-sd,
|
||||||
|
registry.k8s.io/ip-masq-agent-amd64,
|
||||||
|
registry.k8s.io/kube-proxy,
|
||||||
|
registry.k8s.io/prometheus-to-sd,
|
||||||
|
quay.io/calico/node,
|
||||||
|
sysdig/sysdig,
|
||||||
|
registry.k8s.io/dns/k8s-dns-node-cache,
|
||||||
|
mcr.microsoft.com/oss/kubernetes/kube-proxy
|
||||||
|
]
|
||||||
|
|
||||||
- rule: Disallowed K8s User
|
- rule: Disallowed K8s User
|
||||||
desc: Detect any k8s operation by users outside of an allowed set of users.
|
desc: Detect any k8s operation by users outside of an allowed set of users.
|
||||||
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
|
condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users)
|
||||||
@ -166,7 +206,7 @@
|
|||||||
- rule: Create Privileged Pod
|
- rule: Create Privileged Pod
|
||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a pod with a privileged container
|
Detect an attempt to start a pod with a privileged container
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images)
|
condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_privileged_images)
|
||||||
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -180,7 +220,7 @@
|
|||||||
desc: >
|
desc: >
|
||||||
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc).
|
||||||
Exceptions are made for known trusted images.
|
Exceptions are made for known trusted images.
|
||||||
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images)
|
condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (k8s_audit_sensitive_mount_images)
|
||||||
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace resource=%ka.target.resource images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace resource=%ka.target.resource images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -188,7 +228,7 @@
|
|||||||
|
|
||||||
# These container images are allowed to run with hostnetwork=true
|
# These container images are allowed to run with hostnetwork=true
|
||||||
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
|
# TODO: Remove k8s.gcr.io reference after 01/Dec/2023
|
||||||
- list: falco_hostnetwork_images
|
- list: k8s_audit_hostnetwork_images
|
||||||
items: [
|
items: [
|
||||||
gcr.io/google-containers/prometheus-to-sd,
|
gcr.io/google-containers/prometheus-to-sd,
|
||||||
gcr.io/projectcalico-org/typha,
|
gcr.io/projectcalico-org/typha,
|
||||||
@ -196,8 +236,6 @@
|
|||||||
gke.gcr.io/gke-metadata-server,
|
gke.gcr.io/gke-metadata-server,
|
||||||
gke.gcr.io/kube-proxy,
|
gke.gcr.io/kube-proxy,
|
||||||
gke.gcr.io/netd-amd64,
|
gke.gcr.io/netd-amd64,
|
||||||
k8s.gcr.io/ip-masq-agent-amd64,
|
|
||||||
k8s.gcr.io/prometheus-to-sd,
|
|
||||||
registry.k8s.io/ip-masq-agent-amd64,
|
registry.k8s.io/ip-masq-agent-amd64,
|
||||||
registry.k8s.io/prometheus-to-sd
|
registry.k8s.io/prometheus-to-sd
|
||||||
]
|
]
|
||||||
@ -205,29 +243,29 @@
|
|||||||
# Corresponds to K8s CIS Benchmark 1.7.4
|
# Corresponds to K8s CIS Benchmark 1.7.4
|
||||||
- rule: Create HostNetwork Pod
|
- rule: Create HostNetwork Pod
|
||||||
desc: Detect an attempt to start a pod using the host network.
|
desc: Detect an attempt to start a pod using the host network.
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images)
|
condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostnetwork_images)
|
||||||
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
tags: [k8s]
|
tags: [k8s]
|
||||||
|
|
||||||
- list: falco_hostpid_images
|
- list: k8s_audit_hostpid_images
|
||||||
items: []
|
items: []
|
||||||
|
|
||||||
- rule: Create HostPid Pod
|
- rule: Create HostPid Pod
|
||||||
desc: Detect an attempt to start a pod using the host pid namespace.
|
desc: Detect an attempt to start a pod using the host pid namespace.
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images)
|
condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostpid_images)
|
||||||
output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
tags: [k8s]
|
tags: [k8s]
|
||||||
|
|
||||||
- list: falco_hostipc_images
|
- list: k8s_audit_hostipc_images
|
||||||
items: []
|
items: []
|
||||||
|
|
||||||
- rule: Create HostIPC Pod
|
- rule: Create HostIPC Pod
|
||||||
desc: Detect an attempt to start a pod using the host ipc namespace.
|
desc: Detect an attempt to start a pod using the host ipc namespace.
|
||||||
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images)
|
condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostipc_images)
|
||||||
output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image)
|
||||||
priority: WARNING
|
priority: WARNING
|
||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
@ -298,6 +336,18 @@
|
|||||||
source: k8s_audit
|
source: k8s_audit
|
||||||
tags: [k8s]
|
tags: [k8s]
|
||||||
|
|
||||||
|
- macro: user_known_portforward_activities
|
||||||
|
condition: (k8s_audit_never_true)
|
||||||
|
|
||||||
|
- rule: port-forward
|
||||||
|
desc: >
|
||||||
|
Detect any attempt to portforward
|
||||||
|
condition: ka.target.subresource in (portforward) and not user_known_portforward_activities
|
||||||
|
output: Portforward to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource )
|
||||||
|
priority: NOTICE
|
||||||
|
source: k8s_audit
|
||||||
|
tags: [k8s]
|
||||||
|
|
||||||
- macro: user_known_pod_debug_activities
|
- macro: user_known_pod_debug_activities
|
||||||
condition: (k8s_audit_never_true)
|
condition: (k8s_audit_never_true)
|
||||||
|
|
||||||
@ -344,19 +394,11 @@
|
|||||||
gke.gcr.io/addon-resizer,
|
gke.gcr.io/addon-resizer,
|
||||||
gke.gcr.io/heapster,
|
gke.gcr.io/heapster,
|
||||||
gke.gcr.io/gke-metadata-server,
|
gke.gcr.io/gke-metadata-server,
|
||||||
k8s.gcr.io/ip-masq-agent-amd64,
|
|
||||||
k8s.gcr.io/kube-apiserver,
|
|
||||||
registry.k8s.io/ip-masq-agent-amd64,
|
registry.k8s.io/ip-masq-agent-amd64,
|
||||||
registry.k8s.io/kube-apiserver,
|
registry.k8s.io/kube-apiserver,
|
||||||
gke.gcr.io/kube-proxy,
|
gke.gcr.io/kube-proxy,
|
||||||
gke.gcr.io/netd-amd64,
|
gke.gcr.io/netd-amd64,
|
||||||
gke.gcr.io/watcher-daemonset,
|
gke.gcr.io/watcher-daemonset,
|
||||||
k8s.gcr.io/addon-resizer,
|
|
||||||
k8s.gcr.io/prometheus-to-sd,
|
|
||||||
k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64,
|
|
||||||
k8s.gcr.io/k8s-dns-kube-dns-amd64,
|
|
||||||
k8s.gcr.io/k8s-dns-sidecar-amd64,
|
|
||||||
k8s.gcr.io/metrics-server-amd64,
|
|
||||||
registry.k8s.io/addon-resizer,
|
registry.k8s.io/addon-resizer,
|
||||||
registry.k8s.io/prometheus-to-sd,
|
registry.k8s.io/prometheus-to-sd,
|
||||||
registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,
|
registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64,
|
||||||
|
@ -15,9 +15,9 @@ k8saudit:
|
|||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
cpu: 100m
|
cpu: 100m
|
||||||
memory: 256Mi
|
memory: 64Mi
|
||||||
limits:
|
limits:
|
||||||
cpu: 1000m
|
cpu: 1
|
||||||
memory: 512Mi
|
memory: 512Mi
|
||||||
|
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
@ -43,10 +43,16 @@ k8saudit:
|
|||||||
|
|
||||||
falcoctl:
|
falcoctl:
|
||||||
artifact:
|
artifact:
|
||||||
install:
|
|
||||||
enabled: false
|
|
||||||
follow:
|
follow:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
# Since 0.37 the plugins are not part of the image anymore
|
||||||
|
# but we provide our rules static via our CM
|
||||||
|
config:
|
||||||
|
artifact:
|
||||||
|
allowedTypes:
|
||||||
|
- plugin
|
||||||
|
install:
|
||||||
|
refs: [k8saudit:0.7.0,json:0.7.2]
|
||||||
|
|
||||||
services:
|
services:
|
||||||
- name: webhook
|
- name: webhook
|
||||||
|
@ -80,7 +80,7 @@ falco:
|
|||||||
enabled: false
|
enabled: false
|
||||||
k8saudit:
|
k8saudit:
|
||||||
enabled: false
|
enabled: false
|
||||||
targetRevision: 0.1.0
|
targetRevision: 0.1.2
|
||||||
|
|
||||||
telemetry:
|
telemetry:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
Loading…
Reference in New Issue
Block a user