Move json -> k8s audit event conversion out of falco engine

Move the code that splits a json object into a list of k8s audit/json events out of falco engine and into json_evt. This, along with other changes, allows the falco engine to be more general purpose and not directly tied to the notion of syscall vs k8s audit events. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-09-02 15:15:17 +00:00 · 2021-08-25 16:20:24 -07:00
parent 044a7c153e
commit 1c60dab87e
5 changed files with 89 additions and 89 deletions
--- a/userspace/engine/falco_engine.cpp
+++ b/userspace/engine/falco_engine.cpp
@@ -386,84 +386,6 @@ void falco_engine::populate_rule_result(unique_ptr<struct rule_result> &res, gen
 	}
 }

-bool falco_engine::parse_k8s_audit_json(nlohmann::json &j, std::list<json_event> &evts, bool top)
-{
-	// Note that nlohmann::basic_json::value can throw  nlohmann::basic_json::type_error (302, 306)
-	try
-	{
-		// If the object is an array, call parse_k8s_audit_json again for each item.
-		if(j.is_array())
-		{
-			if(top)
-			{
-				for(auto &item : j)
-				{
-					// Note we only handle a single top level array, to
-					// avoid excessive recursion.
-					if(! parse_k8s_audit_json(item, evts, false))
-					{
-						return false;
-					}
-				}
-
-				return true;
-			}
-			else
-			{
-				return false;
-			}
-		}
-
-		// If the kind is EventList, split it into individual events
-		if(j.value("kind", "<NA>") == "EventList")
-		{
-			for(auto &je : j["items"])
-			{
-				evts.emplace_back();
-				je["kind"] = "Event";
-
-				uint64_t ns = 0;
-				if(!sinsp_utils::parse_iso_8601_utc_string(je.value(k8s_audit_time, "<NA>"), ns))
-				{
-					return false;
-				}
-
-				std::string tmp;
-				sinsp_utils::ts_to_string(ns, &tmp, false, true);
-
-				evts.back().set_jevt(je, ns);
-			}
-
-			return true;
-		}
-		else if(j.value("kind", "<NA>") == "Event")
-		{
-			evts.emplace_back();
-			uint64_t ns = 0;
-			if(!sinsp_utils::parse_iso_8601_utc_string(j.value(k8s_audit_time, "<NA>"), ns))
-			{
-				return false;
-			}
-
-			evts.back().set_jevt(j, ns);
-			return true;
-		}
-		else
-		{
-			return false;
-		}
-	}
-	catch(exception &e)
-	{
-		return false;
-	}
-}
-
-unique_ptr<falco_engine::rule_result> falco_engine::process_k8s_audit_event(json_event *ev)
-{
-	return process_k8s_audit_event(ev, m_default_ruleset_id);
-}
-
 void falco_engine::describe_rule(string *rule)
 {
 	return m_rules->describe_rule(rule);