diff --git a/charts/kubezero-falco/README.md b/charts/kubezero-falco/README.md new file mode 100644 index 0000000..1677349 --- /dev/null +++ b/charts/kubezero-falco/README.md @@ -0,0 +1,64 @@ +# kubezero-falco + +![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +Falco Container Security and Audit components + +**Homepage:** + +## Maintainers + +| Name | Email | Url | +| ---- | ------ | --- | +| Stefan Reimer | | | + +## Requirements + +Kubernetes: `>= 1.26.0` + +| Repository | Name | Version | +|------------|------|---------| +| https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 | +| https://falcosecurity.github.io/charts | k8saudit(falco) | 4.2.5 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| k8saudit.collectors | object | `{"enabled":false}` | Disable the collectors, no syscall events to enrich with metadata. | +| k8saudit.controller | object | `{"deployment":{"replicas":1},"kind":"deployment"}` | Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale. | +| k8saudit.controller.deployment.replicas | int | `1` | Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing. For more info check the section on Plugins in the README.md file. | +| k8saudit.driver | object | `{"enabled":false}` | Disable the drivers since we want to deploy only the k8saudit plugin. | +| k8saudit.enabled | bool | `false` | | +| k8saudit.falco.buffered_outputs | bool | `true` | | +| k8saudit.falco.json_output | bool | `true` | | +| k8saudit.falco.load_plugins[0] | string | `"k8saudit"` | | +| k8saudit.falco.load_plugins[1] | string | `"json"` | | +| k8saudit.falco.log_syslog | bool | `false` | | +| k8saudit.falco.plugins[0].init_config.maxEventSize | int | `1048576` | | +| k8saudit.falco.plugins[0].library_path | string | `"libk8saudit.so"` | | +| k8saudit.falco.plugins[0].name | string | `"k8saudit"` | | +| k8saudit.falco.plugins[0].open_params | string | `"http://:9765/k8s-audit"` | | +| k8saudit.falco.plugins[1].init_config | string | `""` | | +| k8saudit.falco.plugins[1].library_path | string | `"libjson.so"` | | +| k8saudit.falco.plugins[1].name | string | `"json"` | | +| k8saudit.falco.rules_file[0] | string | `"/etc/falco/rules.d"` | | +| k8saudit.falco.syslog_output.enabled | bool | `false` | | +| k8saudit.falcoctl.artifact.follow.enabled | bool | `false` | | +| k8saudit.falcoctl.artifact.install.enabled | bool | `false` | | +| k8saudit.fullnameOverride | string | `"falco-k8saudit"` | | +| k8saudit.mounts.volumeMounts[0].mountPath | string | `"/etc/falco/rules.d"` | | +| k8saudit.mounts.volumeMounts[0].name | string | `"rules-volume"` | | +| k8saudit.mounts.volumes[0].configMap.name | string | `"falco-k8saudit-rules"` | | +| k8saudit.mounts.volumes[0].name | string | `"rules-volume"` | | +| k8saudit.nodeSelector."node-role.kubernetes.io/control-plane" | string | `""` | | +| k8saudit.resources.limits.cpu | string | `"1000m"` | | +| k8saudit.resources.limits.memory | string | `"512Mi"` | | +| k8saudit.resources.requests.cpu | string | `"100m"` | | +| k8saudit.resources.requests.memory | string | `"256Mi"` | | +| k8saudit.services[0].name | string | `"webhook"` | | +| k8saudit.services[0].ports[0].port | int | `9765` | | +| k8saudit.services[0].ports[0].protocol | string | `"TCP"` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/kubezero-falco/files/rules/k8s_audit_rules.yaml b/charts/kubezero-falco/files/rules/k8s_audit_rules.yaml index bd0675d..71293c1 100644 --- a/charts/kubezero-falco/files/rules/k8s_audit_rules.yaml +++ b/charts/kubezero-falco/files/rules/k8s_audit_rules.yaml @@ -20,10 +20,12 @@ - required_plugin_versions: - name: k8saudit - version: 0.6.0 + version: 0.7.0 alternatives: - name: k8saudit-eks - version: 0.2.0 + version: 0.4.0 + - name: k8saudit-gke + version: 0.1.0 - name: json version: 0.7.0 @@ -79,7 +81,45 @@ "eks:vpc-resource-controller", "eks:addon-manager", ] -- + +- list: k8s_audit_sensitive_mount_images + items: [ + falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco, + docker.io/sysdig/sysdig, sysdig/sysdig, + gcr.io/google_containers/hyperkube, + gcr.io/google_containers/kube-proxy, docker.io/calico/node, + docker.io/rook/toolbox, docker.io/cloudnativelabs/kube-router, docker.io/consul, + docker.io/datadog/docker-dd-agent, docker.io/datadog/agent, docker.io/docker/ucp-agent, docker.io/gliderlabs/logspout, + docker.io/netdata/netdata, docker.io/google/cadvisor, docker.io/prom/node-exporter, + amazon/amazon-ecs-agent, prom/node-exporter, amazon/cloudwatch-agent + ] + +- list: k8s_audit_privileged_images + items: [ + falcosecurity/falco, docker.io/falcosecurity/falco, public.ecr.aws/falcosecurity/falco, + docker.io/calico/node, calico/node, + docker.io/cloudnativelabs/kube-router, + docker.io/docker/ucp-agent, + docker.io/mesosphere/mesos-slave, + docker.io/rook/toolbox, + docker.io/sysdig/sysdig, + gcr.io/google_containers/kube-proxy, + gcr.io/google-containers/startup-script, + gcr.io/projectcalico-org/node, + gke.gcr.io/kube-proxy, + gke.gcr.io/gke-metadata-server, + gke.gcr.io/netd-amd64, + gke.gcr.io/watcher-daemonset, + gcr.io/google-containers/prometheus-to-sd, + registry.k8s.io/ip-masq-agent-amd64, + registry.k8s.io/kube-proxy, + registry.k8s.io/prometheus-to-sd, + quay.io/calico/node, + sysdig/sysdig, + registry.k8s.io/dns/k8s-dns-node-cache, + mcr.microsoft.com/oss/kubernetes/kube-proxy + ] + - rule: Disallowed K8s User desc: Detect any k8s operation by users outside of an allowed set of users. condition: kevt and non_system_user and not ka.user.name in (allowed_k8s_users) and not ka.user.name in (eks_allowed_k8s_users) @@ -166,7 +206,7 @@ - rule: Create Privileged Pod desc: > Detect an attempt to start a pod with a privileged container - condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (falco_privileged_images) + condition: kevt and pod and kcreate and ka.req.pod.containers.privileged intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_privileged_images) output: Pod started with privileged container (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image) priority: WARNING source: k8s_audit @@ -180,7 +220,7 @@ desc: > Detect an attempt to start a pod with a volume from a sensitive host directory (i.e. /proc). Exceptions are made for known trusted images. - condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (falco_sensitive_mount_images) + condition: kevt and pod and kcreate and sensitive_vol_mount and not ka.req.pod.containers.image.repository in (k8s_audit_sensitive_mount_images) output: Pod started with sensitive mount (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace resource=%ka.target.resource images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes]) priority: WARNING source: k8s_audit @@ -188,7 +228,7 @@ # These container images are allowed to run with hostnetwork=true # TODO: Remove k8s.gcr.io reference after 01/Dec/2023 -- list: falco_hostnetwork_images +- list: k8s_audit_hostnetwork_images items: [ gcr.io/google-containers/prometheus-to-sd, gcr.io/projectcalico-org/typha, @@ -196,8 +236,6 @@ gke.gcr.io/gke-metadata-server, gke.gcr.io/kube-proxy, gke.gcr.io/netd-amd64, - k8s.gcr.io/ip-masq-agent-amd64, - k8s.gcr.io/prometheus-to-sd, registry.k8s.io/ip-masq-agent-amd64, registry.k8s.io/prometheus-to-sd ] @@ -205,29 +243,29 @@ # Corresponds to K8s CIS Benchmark 1.7.4 - rule: Create HostNetwork Pod desc: Detect an attempt to start a pod using the host network. - condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostnetwork_images) + condition: kevt and pod and kcreate and ka.req.pod.host_network intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostnetwork_images) output: Pod started using host network (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image) priority: WARNING source: k8s_audit tags: [k8s] -- list: falco_hostpid_images +- list: k8s_audit_hostpid_images items: [] - rule: Create HostPid Pod desc: Detect an attempt to start a pod using the host pid namespace. - condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostpid_images) + condition: kevt and pod and kcreate and ka.req.pod.host_pid intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostpid_images) output: Pod started using host pid namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image) priority: WARNING source: k8s_audit tags: [k8s] -- list: falco_hostipc_images +- list: k8s_audit_hostipc_images items: [] - rule: Create HostIPC Pod desc: Detect an attempt to start a pod using the host ipc namespace. - condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (falco_hostipc_images) + condition: kevt and pod and kcreate and ka.req.pod.host_ipc intersects (true) and not ka.req.pod.containers.image.repository in (k8s_audit_hostipc_images) output: Pod started using host ipc namespace (user=%ka.user.name pod=%ka.resp.name resource=%ka.target.resource ns=%ka.target.namespace images=%ka.req.pod.containers.image) priority: WARNING source: k8s_audit @@ -298,6 +336,18 @@ source: k8s_audit tags: [k8s] +- macro: user_known_portforward_activities + condition: (k8s_audit_never_true) + +- rule: port-forward + desc: > + Detect any attempt to portforward + condition: ka.target.subresource in (portforward) and not user_known_portforward_activities + output: Portforward to pod (user=%ka.user.name pod=%ka.target.name ns=%ka.target.namespace action=%ka.target.subresource ) + priority: NOTICE + source: k8s_audit + tags: [k8s] + - macro: user_known_pod_debug_activities condition: (k8s_audit_never_true) @@ -344,19 +394,11 @@ gke.gcr.io/addon-resizer, gke.gcr.io/heapster, gke.gcr.io/gke-metadata-server, - k8s.gcr.io/ip-masq-agent-amd64, - k8s.gcr.io/kube-apiserver, registry.k8s.io/ip-masq-agent-amd64, registry.k8s.io/kube-apiserver, gke.gcr.io/kube-proxy, gke.gcr.io/netd-amd64, gke.gcr.io/watcher-daemonset, - k8s.gcr.io/addon-resizer, - k8s.gcr.io/prometheus-to-sd, - k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64, - k8s.gcr.io/k8s-dns-kube-dns-amd64, - k8s.gcr.io/k8s-dns-sidecar-amd64, - k8s.gcr.io/metrics-server-amd64, registry.k8s.io/addon-resizer, registry.k8s.io/prometheus-to-sd, registry.k8s.io/k8s-dns-dnsmasq-nanny-amd64, diff --git a/charts/kubezero-falco/values.yaml b/charts/kubezero-falco/values.yaml index b07ca66..7e80d1b 100644 --- a/charts/kubezero-falco/values.yaml +++ b/charts/kubezero-falco/values.yaml @@ -15,9 +15,9 @@ k8saudit: resources: requests: cpu: 100m - memory: 256Mi + memory: 64Mi limits: - cpu: 1000m + cpu: 1 memory: 512Mi nodeSelector: @@ -43,10 +43,16 @@ k8saudit: falcoctl: artifact: - install: - enabled: false follow: enabled: false + # Since 0.37 the plugins are not part of the image anymore + # but we provide our rules static via our CM + config: + artifact: + allowedTypes: + - plugin + install: + refs: [k8saudit:0.7.0,json:0.7.2] services: - name: webhook diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml index 7d3a02a..19e4095 100644 --- a/charts/kubezero/values.yaml +++ b/charts/kubezero/values.yaml @@ -80,7 +80,7 @@ falco: enabled: false k8saudit: enabled: false - targetRevision: 0.1.0 + targetRevision: 0.1.2 telemetry: enabled: false