From 42fcc7291ffae85c93b7fe4b87efda7d6a28c7d2 Mon Sep 17 00:00:00 2001 From: Jason Dellaluce Date: Wed, 23 Mar 2022 13:35:31 +0000 Subject: [PATCH] refactor(userspace/falco): remove k8s audit references from falco Signed-off-by: Jason Dellaluce --- userspace/engine/json_evt.h | 2 +- userspace/engine/rule_loader.cpp | 12 +-- .../falco/app_actions/init_falco_engine.cpp | 13 +--- .../falco/app_actions/open_inspector.cpp | 47 +----------- .../falco/app_actions/process_events.cpp | 73 ++++--------------- .../falco/app_actions/start_webserver.cpp | 3 +- userspace/falco/app_cmdline_options.cpp | 6 +- userspace/falco/application.cpp | 3 +- userspace/falco/application.h | 7 +- userspace/falco/configuration.cpp | 2 - userspace/falco/configuration.h | 1 - userspace/falco/falco_outputs.cpp | 20 +---- userspace/falco/falco_outputs.h | 1 - 13 files changed, 34 insertions(+), 156 deletions(-) diff --git a/userspace/engine/json_evt.h b/userspace/engine/json_evt.h index 4c18a8e8..aa84f4ea 100644 --- a/userspace/engine/json_evt.h +++ b/userspace/engine/json_evt.h @@ -48,7 +48,7 @@ public: inline uint16_t get_type() const { // All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event - return 1; + return ppm_event_type::PPME_PLUGINEVENT_E; } protected: diff --git a/userspace/engine/rule_loader.cpp b/userspace/engine/rule_loader.cpp index d2d74275..1d0a5785 100644 --- a/userspace/engine/rule_loader.cpp +++ b/userspace/engine/rule_loader.cpp @@ -721,7 +721,7 @@ void rule_loader::compile_rule_infos( } // populate set of event types and emit an special warning - set evttypes; + set evttypes = { ppm_event_type::PPME_PLUGINEVENT_E }; if(rule.source == falco_common::syscall_source) { filter_evttype_resolver().evttypes(ast, evttypes); @@ -734,16 +734,6 @@ void rule_loader::compile_rule_infos( + " This has a significant performance penalty."); } } - else if (rule.source == "k8s_audit") - { - // todo(jasondellaluce): remove this case once k8saudit - // gets ported to a plugin - evttypes = { ppm_event_type::PPME_GENERIC_X }; - } - else - { - evttypes = { ppm_event_type::PPME_PLUGINEVENT_E }; - } // add rule and its filter in the engine cfg.engine->add_filter(filter, rule.name, rule.source, evttypes, rule.tags); diff --git a/userspace/falco/app_actions/init_falco_engine.cpp b/userspace/falco/app_actions/init_falco_engine.cpp index b1e571da..def756a4 100644 --- a/userspace/falco/app_actions/init_falco_engine.cpp +++ b/userspace/falco/app_actions/init_falco_engine.cpp @@ -56,24 +56,19 @@ application::run_result application::init_falco_engine() configure_output_format(); - // Create "factories" that can create filters/formatters for - // syscalls and k8s audit events. + // Create "factories" that can create filters/formatters for syscalls // libs requires raw pointer, we should modify libs to use reference/shared_ptr std::shared_ptr syscall_filter_factory(new sinsp_filter_factory(m_state->inspector.get())); - std::shared_ptr k8s_audit_filter_factory(new json_event_filter_factory()); // libs requires raw pointer, we should modify libs to use reference/shared_ptr std::shared_ptr syscall_formatter_factory(new sinsp_evt_formatter_factory(m_state->inspector.get())); - std::shared_ptr k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory)); m_state->syscall_source_idx = m_state->engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory); - m_state->k8s_audit_source_idx = m_state->engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory); - + if(m_state->config->m_json_output) { syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON); - k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON); } for(const auto &src : m_options.disable_sources) @@ -81,10 +76,10 @@ application::run_result application::init_falco_engine() m_state->enabled_sources.erase(src); } - // XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin. + // todo(jasondellaluce,leogr): change this once we attain multiple active source if(m_state->enabled_sources.empty()) { - throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together"); + throw std::invalid_argument("At least one event source needs to be enabled"); } m_state->engine->set_min_priority(m_state->config->m_min_priority); diff --git a/userspace/falco/app_actions/open_inspector.cpp b/userspace/falco/app_actions/open_inspector.cpp index f5137f9f..55266ea5 100644 --- a/userspace/falco/app_actions/open_inspector.cpp +++ b/userspace/falco/app_actions/open_inspector.cpp @@ -38,46 +38,10 @@ application::run_result application::open_inspector() } catch(sinsp_exception &e) { - falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + m_options.trace_filename + "\": " + string(e.what())); - m_state->trace_is_scap=false; - } - - if(!m_state->trace_is_scap) - { -#ifdef MINIMAL_BUILD ret.success = false; - ret.errstr = "Cannot use k8s audit events trace file with a minimal Falco build"; + ret.errstr = std::string("Could not open trace filename ") + m_options.trace_filename + " for reading: " + e.what(); ret.proceed = false; return ret; -#else - try { - string line; - nlohmann::json j; - - // Note we only temporarily open the file here. - // The read file read loop will be later. - ifstream ifs(m_options.trace_filename); - getline(ifs, line); - j = nlohmann::json::parse(line); - - falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + m_options.trace_filename + "\n"); - } - catch (nlohmann::json::parse_error& e) - { - ret.success = false; - ret.errstr = std::string("Trace filename ") + m_options.trace_filename + " not recognized as system call events or k8s audit events"; - ret.proceed = false; - return ret; - - } - catch (exception &e) - { - ret.success = false; - ret.errstr = std::string("Could not open trace filename ") + m_options.trace_filename + " for reading: " + e.what(); - ret.proceed = false; - return ret; - } -#endif } } else @@ -101,19 +65,14 @@ application::run_result application::open_inspector() open_t open_f; // Default mode: both event sources enabled - if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end() && - m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end()) + if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end()) { open_f = open_cb; } - if (m_state->enabled_sources.find(application::s_syscall_source) == m_state->enabled_sources.end()) + else { open_f = open_nodriver_cb; } - if (m_state->enabled_sources.find(application::s_k8s_audit_source) == m_state->enabled_sources.end()) - { - open_f = open_cb; - } try { diff --git a/userspace/falco/app_actions/process_events.cpp b/userspace/falco/app_actions/process_events.cpp index 64dcb128..eb183e27 100644 --- a/userspace/falco/app_actions/process_events.cpp +++ b/userspace/falco/app_actions/process_events.cpp @@ -31,35 +31,6 @@ limitations under the License. using namespace falco::app; -#ifndef MINIMAL_BUILD -// Read a jsonl file containing k8s audit events and pass each to the engine. -void application::read_k8s_audit_trace_file(string &trace_filename) -{ - ifstream ifs(trace_filename); - - uint64_t line_num = 0; - - while(ifs) - { - string line, errstr; - - getline(ifs, line); - line_num++; - - if(line == "") - { - continue; - } - - if(!k8s_audit_handler::accept_data(m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx, line, errstr)) - { - falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping"); - return; - } - } -} -#endif - // // Event processing loop // @@ -214,36 +185,24 @@ application::run_result application::process_events() duration = ((double)clock()) / CLOCKS_PER_SEC; - if(!m_options.trace_filename.empty() && !m_state->trace_is_scap) + uint64_t num_evts = do_inspect(sdropmgr, + uint64_t(m_options.duration_to_tot*ONE_SECOND_IN_NS), + ret); + + duration = ((double)clock()) / CLOCKS_PER_SEC - duration; + + m_state->inspector->get_capture_stats(&cstats); + + if(m_options.verbose) { -#ifndef MINIMAL_BUILD - read_k8s_audit_trace_file(m_options.trace_filename); -#endif - } - else - { - uint64_t num_evts; - - num_evts = do_inspect(sdropmgr, - uint64_t(m_options.duration_to_tot*ONE_SECOND_IN_NS), - ret); - - duration = ((double)clock()) / CLOCKS_PER_SEC - duration; - - m_state->inspector->get_capture_stats(&cstats); - - if(m_options.verbose) - { - fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n", - cstats.n_evts, - cstats.n_drops); - - fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n", - duration, - num_evts, - num_evts / duration); - } + fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n", + cstats.n_evts, + cstats.n_drops); + fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n", + duration, + num_evts, + num_evts / duration); } // Honor -M also when using a trace file. diff --git a/userspace/falco/app_actions/start_webserver.cpp b/userspace/falco/app_actions/start_webserver.cpp index f63d0b21..62cd895c 100644 --- a/userspace/falco/app_actions/start_webserver.cpp +++ b/userspace/falco/app_actions/start_webserver.cpp @@ -26,11 +26,10 @@ application::run_result application::start_webserver() { run_result ret; - if(m_options.trace_filename.empty() && m_state->config->m_webserver_enabled && m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end()) + if(m_state->config->m_webserver_enabled) { std::string ssl_option = (m_state->config->m_webserver_ssl_enabled ? " (SSL)" : ""); falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(m_state->config->m_webserver_listen_port) + ssl_option + "\n"); - m_state->webserver.init(m_state->config, m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx); m_state->webserver.start(); } diff --git a/userspace/falco/app_cmdline_options.cpp b/userspace/falco/app_cmdline_options.cpp index 2bdaba7d..4855305b 100644 --- a/userspace/falco/app_cmdline_options.cpp +++ b/userspace/falco/app_cmdline_options.cpp @@ -160,9 +160,9 @@ void cmdline_options::define() ("cri", "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "") ("d,daemon", "Run as a daemon.", cxxopts::value(daemon)->default_value("false")) ("disable-cri-async", "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false")) - ("disable-source", "Disable a specific event source. Available event sources are: syscall, k8s_audit, or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "") + ("disable-source", "Disable a specific event source. Available event sources are: syscall or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "") ("D", "Disable any rules with names having the substring . Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "") - ("e", "Read the events from (in .scap format for sinsp events, or jsonl for k8s audit events) instead of tapping into live.", cxxopts::value(trace_filename), "") + ("e", "Read the events from in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "") ("i", "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false")) #ifndef MINIMAL_BUILD ("k,k8s-api", "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "") @@ -171,7 +171,7 @@ void cmdline_options::define() #endif ("L", "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false")) ("l", "Show the name and description of the rule with name and exit.", cxxopts::value(describe_rule), "") - ("list", "List all defined fields. If is provided, only list those fields for the source . Current values for are \"syscall\", \"k8s_audit\", or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "") + ("list", "List all defined fields. If is provided, only list those fields for the source . Current values for are \"syscall\" or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "") ("list-syscall-events", "List all defined system call events.", cxxopts::value(list_syscall_events)) #ifndef MUSL_OPTIMIZED ("list-plugins", "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false")) diff --git a/userspace/falco/application.cpp b/userspace/falco/application.cpp index 8296e432..ed12314c 100644 --- a/userspace/falco/application.cpp +++ b/userspace/falco/application.cpp @@ -30,7 +30,6 @@ namespace falco { namespace app { std::string application::s_syscall_source = falco_common::syscall_source; -std::string application::s_k8s_audit_source = "k8s_audit"; application::run_result::run_result() : success(true), errstr(""), proceed(true) @@ -45,7 +44,7 @@ application::state::state() : restart(false), terminate(false), reopen_outputs(false), - enabled_sources({application::s_syscall_source, application::s_k8s_audit_source}), + enabled_sources({application::s_syscall_source}), trace_is_scap(true) { config = std::make_shared(); diff --git a/userspace/falco/application.h b/userspace/falco/application.h index 4e022c08..1a3f17d4 100644 --- a/userspace/falco/application.h +++ b/userspace/falco/application.h @@ -53,7 +53,6 @@ public: private: static std::string s_syscall_source; - static std::string s_k8s_audit_source; // Holds the state used and shared by the below methods that // actually implement the application. Declared as a @@ -75,10 +74,8 @@ private: std::shared_ptr inspector; std::set enabled_sources; - // The event sources that correspond to "syscalls" and - // "k8s_audit events". + // The event sources that correspond to "syscall" std::size_t syscall_source_idx; - std::size_t k8s_audit_source_idx; // The event source actually used to process events in // process_events(). Will generally be @@ -99,7 +96,6 @@ private: std::string cmdline; - bool trace_is_scap; #ifndef MINIMAL_BUILD falco::grpc::server grpc_server; std::thread grpc_server_thread; @@ -164,7 +160,6 @@ private: void configure_output_format(); void check_for_ignored_events(); void print_all_ignored_events(); - void read_k8s_audit_trace_file(string &trace_filename); uint64_t do_inspect(syscall_evt_drop_mgr &sdropmgr, uint64_t duration_to_tot_ns, run_result &result); diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index b2647b38..a0686dd9 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -36,7 +36,6 @@ falco_configuration::falco_configuration(): m_time_format_iso_8601(false), m_webserver_enabled(false), m_webserver_listen_port(8765), - m_webserver_k8s_audit_endpoint("/k8s-audit"), m_webserver_k8s_healthz_endpoint("/healthz"), m_webserver_ssl_enabled(false), m_config(NULL) @@ -203,7 +202,6 @@ void falco_configuration::init(string conf_filename, const vector &cmdli m_webserver_enabled = m_config->get_scalar("webserver.enabled", false); m_webserver_listen_port = m_config->get_scalar("webserver.listen_port", 8765); - m_webserver_k8s_audit_endpoint = m_config->get_scalar("webserver.k8s_audit_endpoint", "/k8s-audit"); m_webserver_k8s_healthz_endpoint = m_config->get_scalar("webserver.k8s_healthz_endpoint", "/healthz"); m_webserver_ssl_enabled = m_config->get_scalar("webserver.ssl_enabled", false); m_webserver_ssl_certificate = m_config->get_scalar("webserver.ssl_certificate", "/etc/falco/falco.pem"); diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index a44ff11b..97a81320 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -245,7 +245,6 @@ public: bool m_webserver_enabled; uint32_t m_webserver_listen_port; - std::string m_webserver_k8s_audit_endpoint; std::string m_webserver_k8s_healthz_endpoint; bool m_webserver_ssl_enabled; std::string m_webserver_ssl_certificate; diff --git a/userspace/falco/falco_outputs.cpp b/userspace/falco/falco_outputs.cpp index bc3e55db..a6f2994a 100644 --- a/userspace/falco/falco_outputs.cpp +++ b/userspace/falco/falco_outputs.cpp @@ -155,27 +155,13 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source, cmsg.rule = rule; string sformat; - if(source != "k8s_audit") + if(m_time_format_iso_8601) { - if(m_time_format_iso_8601) - { - sformat = "*%evt.time.iso8601: "; - } - else - { - sformat = "*%evt.time: "; - } + sformat = "*%evt.time.iso8601: "; } else { - if(m_time_format_iso_8601) - { - sformat = "*%jevt.time.iso8601: "; - } - else - { - sformat = "*%jevt.time: "; - } + sformat = "*%evt.time: "; } sformat += falco_common::format_priority(priority); diff --git a/userspace/falco/falco_outputs.h b/userspace/falco/falco_outputs.h index 2440e748..83e9fa5e 100644 --- a/userspace/falco/falco_outputs.h +++ b/userspace/falco/falco_outputs.h @@ -20,7 +20,6 @@ limitations under the License. #include #include "gen_filter.h" -#include "json_evt.h" #include "falco_common.h" #include "token_bucket.h" #include "falco_engine.h"