falco: Incorrect event values for container.image.* when using image digests

Hey there — thanks very much for Falco, it’s an amazing bit of software! 👋

So, we almost exclusively deploy all our images by sha256 digest, as opposed to by tag, and when attempting to update Falco from 0.17.0 to 0.22.1 on a bunch of our k8s clusters we’ve observed that events all seem to have the following container.image.repository, and container.image.tag values;

"container.image.repository":"sha256","container.image.tag":"[DIGEST]"

How to reproduce it

I’ve validated this behavior on GKE nodes running 1.15.x on top of COS with Containerd, and have re-deployed our falco install from scratch using https://github.com/falcosecurity/falco/tree/master/integrations/k8s-using-daemonset/k8s-with-rbac

Expected behaviour

I would expect that the repository field would contain the actual image repository, and the tag field either the tag, or digest.

"container.image.repository":"some-image","container.image.tag":"sha256:[DIGEST]"

…or maybe even better, a new field digest in the event that tag is null and the image is being referenced by digest;

"container.image.repository":"some-image","container.image.tag":null,"container.image.digest":"sha256:[DIGEST]"

Environment

Falco version:

Falco version: 0.22.1
Driver version: a259b4bf49c3330d9ad6c3eed9eb1a31954259a6

System info:

{
  "machine": "x86_64",
  "nodename": "falco-bb4lb",
  "release": "4.19.104+",
  "sysname": "Linux",
  "version": "#1 SMP Wed Feb 19 05:26:34 PST 2020"
}

Cloud provider or hardware configuration: GKE, running 1.15.x on COS with Containerd
Installation method: https://github.com/falcosecurity/falco/tree/master/integrations/k8s-using-daemonset/k8s-with-rbac

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 38 (16 by maintainers)

Most upvoted comments

@sigurdfalk tagged you in the PR. Added backup lookups … after that I wouldn’t know where else to extract the image from, searched the entire container status response. It certainly isn’t a Falco bug, sometimes it simply just is sha256. I queried Kubernetes audit logs to confirm this. What I don’t know however is if in such corner cases the image from the annotations would also just be sha256. In that case it would be game over.

incertum on Apr 28, 2023

Amazing ty will start looking into it next week after KubeCon and will ping you on slack as well 🙏 !

incertum on Apr 17, 2023

Hi @plasticine 👋

We patched the container engine in this regard a bit here https://github.com/falcosecurity/libs/pull/771/files.

Also sometimes see sha256 as container.image.repository, can help 👀 into it, had it on my list already.

incertum on Apr 17, 2023

Hrm! 🤔 Hoping to get some time to circle back on this next week and see if I can get a more detailed repo

On 29 May 2020, at 10:37 pm, Daniel Pittner notifications@github.com wrote:

Maybe this helps to pin-point things further, I’m seeing the same as @plasticine without BPF enabled on my env (falco 0.23.0): { “machine”: “x86_64”, “nodename”: “falco-2jd7j”, “release”: “4.4.0-177-generic”, “sysname”: “Linux”, “version”: “#207-Ubuntu SMP Mon Mar 16 01:16:10 UTC 2020” } it’s an IBM Cloud IKS 1.15

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

plasticine on May 29, 2020