falco: version 0.33.1, chart 2.4.3 EKS: k8saudit-eks plugin does not load

Describe the bug

I have successfully deployed falco for syscall events on EKS and wanted to enable support for EKS audit events in the same deployment. However it does not work because k8saudit-eks and json plugins do not load. I followed the documentation https://falco.org/blog/k8saudit-eks-plugin/

How to reproduce it

Here are the configuration of the initial deployement:

falco:
  plugins:
    - name: k8saudit-eks
      library_path: libk8saudit-eks.so
      init_config:
        shift: 10
        polling_interval: 10
        use_async: false
        buffer_size: 500
      open_params: "sandbox-1"
    - name: json
      library_path: libjson.so
      init_config: ""

  load_plugins: [json, k8saudit-eks]

  falcosidekick:
    config:
      customfields: "environment:sandbox,source:falco"
      datadog: 
        apikey: ""
        minimumpriority: warning
        host: "https://api.datadoghq.com"
    enabled: true
    replicaCount: 2
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
    webui:
      enabled: true
      replicaCount: 1
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 128Mi
  http_output:
    enabled: true
    url: "http://falcosidekick:2801/"
  image:
    tag: "0.33.1"
  json_output: true
  json_include_output_property: true
  log_level: debug
  resources:
    limits:
      cpu: 100m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 512Mi
  tty: true

  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/FalcoAuditEKS
    create: true
    name: falco-audit-eks
  customRules:
    syscall_custom_rules.yaml: |-

There are no logs showing that the plugins are loading:

k logs -l app.kubernetes.io/name=falco -f                                                                                                                                                                         
Thu Jan  5 13:40:53 2023: Falco version: 0.33.1 (x86_64)
Thu Jan  5 13:40:53 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Thu Jan  5 13:40:53 2023: Loading rules from file /etc/falco/falco_rules.yaml
Thu Jan  5 13:40:54 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Thu Jan  5 13:40:55 2023: Loading rules from file /etc/falco/rules.d/syscall_custom_rules.yaml
Thu Jan  5 13:40:56 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Jan  5 13:40:56 2023: Starting health webserver with threadiness 4, listening on port 8765
Thu Jan  5 13:40:56 2023: Enabled event sources: syscall
Thu Jan  5 13:40:56 2023: Opening capture with Kernel module
Thu Jan  5 13:40:56 2023: Falco version: 0.33.1 (x86_64)
Thu Jan  5 13:41:04 2023: Falco version: 0.33.1 (x86_64)
Thu Jan  5 13:41:04 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Thu Jan  5 13:41:04 2023: Loading rules from file /etc/falco/falco_rules.yaml
Thu Jan  5 13:41:05 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Thu Jan  5 13:40:56 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Thu Jan  5 13:40:56 2023: Loading rules from file /etc/falco/falco_rules.yaml
Thu Jan  5 13:40:57 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Thu Jan  5 13:40:58 2023: Loading rules from file /etc/falco/rules.d/syscall_custom_rules.yaml
Thu Jan  5 13:40:59 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Jan  5 13:40:59 2023: Starting health webserver with threadiness 4, listening on port 8765
Thu Jan  5 13:40:59 2023: Enabled event sources: syscall
Thu Jan  5 13:40:59 2023: Opening capture with Kernel module
Thu Jan  5 13:41:06 2023: Loading rules from file /etc/falco/rules.d/syscall_custom_rules.yaml
Thu Jan  5 13:41:07 2023: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Jan  5 13:41:07 2023: Starting health webserver with threadiness 4, listening on port 8765
Thu Jan  5 13:41:07 2023: Enabled event sources: syscall
Thu Jan  5 13:41:07 2023: Opening capture with Kernel module

I tried to install on another cluster following the documentation https://github.com/falcosecurity/charts/tree/master/falco and have the same problem

driver:
  enabled: false

collectors:
  enabled: false

controller:
  kind: deployment

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit-eks
      library_path: libk8saudit-eks.so
      init_config:
        region: "us-east-1"
        profile: "default"
        shift: 10
        polling_interval: 10
        use_async: false
        buffer_size: 500
      open_params: "my-cluster"
    - name: json
      library_path: libjson.so
      init_config: ""

  load_plugins: [k8saudit-eks, json]

Expected behaviour

Plugins specified under load_plugins should load

Screenshots

Environment

  • Falco version: 0.33.1
  • System info: EKS 1.21/1.22
  • Cloud provider or hardware configuration:
  • OS: AmazonLinux2
  • Kernel: 5.4.226-129.415.amzn2.x86_64
  • Installation method: Helm

Additional context

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 1
  • Comments: 21 (5 by maintainers)

Most upvoted comments

Here’s my whole values.yaml I’m using for my demos:

tty: true
kubernetes: false

customRules:
  override-k8saudit.yaml: |-
    - list: allowed_k8s_users
      append: true
      items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller]
    - macro: live_endpoint
      append: true
      condition: or ka.uri="/readyz?exclude=kms-provider-0" or ka.uri="/livez?exclude=kms-provider-0"

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit-eks
      library_path: libk8saudit-eks.so
      init_config:
        region: "us-east-1"
        # profile: "default"
        shift: 10
        polling_interval: 10
        use_async: false
        buffer_size: 500
      open_params: "falco-demo"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit-eks, json]
  json_output: true
  json_include_output_property: true
  json_include_tags_property: true
  http_output:
    enabled: true
    url: "http://falco-falcosidekick.falco:2801"

driver:
  enabled: false
collectors:
  enabled: false

controller:
  kind: deployment
  deployment:
    replicas: 1

falcoctl:
  indexes:
  - name: falcosecurity
    url: https://falcosecurity.github.io/falcoctl/index.yaml
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - plugin
        - rulesfile
      install:
        resolveDeps: false
        refs: [k8saudit-rules:0.5, k8saudit-eks:0.1, json:0]
      follow:
        refs: [k8saudit-rules:0.5]

I’ve a different daemonset for falco + falcosidekick + falcosidekick-ui, this is why I set also the json_* and http_output values.

I think your missing config is :

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml
+2
Issif on Mar 27, 2023

I will hijack this issue and use this comment to document me trying to get it to work.

I download the plugin and built my own image. For now I am using the stable version of the plugin. I get it from here:

Building the image in the following temporary repo:

I got the plugin to load!

Fri Jan 13 13:55:39 2023: Falco version: 0.33.1 (x86_64)
Fri Jan 13 13:55:39 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Jan 13 13:55:39 2023: Loading plugin 'k8saudit-eks' from file /usr/share/falco/plugins/libk8saudit-eks.so
Fri Jan 13 13:55:39 2023: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Fri Jan 13 13:55:39 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri Jan 13 13:55:39 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
Fri Jan 13 13:55:40 2023: Starting health webserver with threadiness 4, listening on port 8765
Fri Jan 13 13:55:40 2023: Enabled event sources: k8s_audit
Fri Jan 13 13:55:40 2023: Opening capture with plugin 'k8saudit-eks'
Error: RequestError: send request failed
caused by: Post "https://logs.us-east-1.amazonaws.com/": x509: certificate signed by unknown authority
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:

@rtalipov, maybe there is something wrong with your config?

Here is are my overrides:

image:
  pullPolicy: Always
  registry: ghcr.io/trallnag
  repository: falco-with-plugins
  tag: master

controller:
  kind: deployment

driver:
  enabled: false

collectors:
  enabled: false

auditLog:
  enabled: true

falco:
  plugins:
    - name: k8saudit-eks
      library_path: libk8saudit-eks.so
      init_config:
        region: "us-east-1"
        profile: "default"
        shift: 10
        polling_interval: 10
        use_async: false
        buffer_size: 500
      open_params: "c360-dev"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit-eks, json]

Next I will add the certificates to the custom image. There is already a PR open for that by @Issif, but I don’t want to wait.

Installing certs works.

Error: AccessDeniedException: User: arn:aws:sts::023551243526:assumed-role/c360-dev-eks-ng-apps/i-0efaa0f48d3cea5de is not authorized to perform: logs:FilterLogEvents on resource: arn:aws:logs:us-east-1:023551243526:log-group:/aws/eks/c360-dev/cluster:log-stream

Next I will configure permissions.

These seem to be enough:

{
    "Statement": [
        {
            "Action": [
                "logs:Describe*",
                "logs:FilterLogEvents",
                "logs:Get*",
                "logs:List*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:logs:eu-central-1:023551243526:log-group:/aws/eks/CLUSTER_NAME/cluster:*"
            ],
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

I have also overridden the included k8s audit rules because the images don’t contain the latest versions.

Still not working. Now it is complaining about plugin requirements:

Fri Jan 13 21:50:51 2023: Falco version: 0.33.1-105+c1985a7 (x86_64)
Fri Jan 13 21:50:51 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Fri Jan 13 21:50:51 2023: Loading plugin 'k8saudit-eks' from file /usr/share/falco/plugins/libk8saudit-eks.so
Fri Jan 13 21:50:51 2023: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Fri Jan 13 21:50:51 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri Jan 13 21:50:51 2023: Loading rules from file /etc/falco/k8s_audit_rules.yaml
Error: Plugin requirement not satisfied, must load one of: k8saudit (>= 0.1.0)

But I definitely have placed 0.1.0 version of plugin and the rules yaml looks right.

- required_engine_version: 15
- required_plugin_versions:
  - name: k8saudit-eks
    version: 0.1.0

- rule: Dummy rule
  desc: >
        Dummy rule
  condition: >
        ka.verb in (get,create,delete,update)
  output: user=%ka.user.name verb=%ka.verb target=%ka.target.name target.namespace=%ka.target.namespace resource=%ka.target.resource
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

I finally figured it out. The chart is bringing it’s own rules and it is overwriting the rules within the image.

+2
trallnag on Jan 13, 2023

You can use any value you want for “name” (alphanumeric chars and - work definitely). It is just used as an identifier for the respective exception.

+1
trallnag on Mar 31, 2023

Here’s the minimal policy you need: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit-eks#aws-iam-policy-permissions

+1
Issif on Mar 29, 2023

Here’s my whole values.yaml I’m using for my demos:

tty: true
kubernetes: false

customRules:
  override-k8saudit.yaml: |-
    - list: allowed_k8s_users
      append: true
      items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller]
    - macro: live_endpoint
      append: true
      condition: or ka.uri="/readyz?exclude=kms-provider-0" or ka.uri="/livez?exclude=kms-provider-0"

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  plugins:
    - name: k8saudit-eks
      library_path: libk8saudit-eks.so
      init_config:
        region: "us-east-1"
        # profile: "default"
        shift: 10
        polling_interval: 10
        use_async: false
        buffer_size: 500
      open_params: "falco-demo"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit-eks, json]
  json_output: true
  json_include_output_property: true
  json_include_tags_property: true
  http_output:
    enabled: true
    url: "http://falco-falcosidekick.falco:2801"

driver:
  enabled: false
collectors:
  enabled: false

controller:
  kind: deployment
  deployment:
    replicas: 1

falcoctl:
  indexes:
  - name: falcosecurity
    url: https://falcosecurity.github.io/falcoctl/index.yaml
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - plugin
        - rulesfile
      install:
        resolveDeps: false
        refs: [k8saudit-rules:0.5, k8saudit-eks:0.1, json:0]
      follow:
        refs: [k8saudit-rules:0.5]

I’ve a different daemonset for falco + falcosidekick + falcosidekick-ui, this is why I set also the json_* and http_output values.

I think your missing config is :

falco:
  rules_file:
    - /etc/falco/k8s_audit_rules.yaml

@Issif, yes that was the case, now it’s working, thanks a lot!

+1
piteros83 on Mar 29, 2023
Read more comments on GitHub
← falco: Validation Error when using a macro as definition of an overwritten macro.
falcosidekick: CustomFields keys cannot contain a dot →