refactor(userspace/falco): remove k8s audit references from falco

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
2025-08-11 19:12:12 +00:00 · 2022-03-23 13:35:31 +00:00 · 2022-03-23 13:35:31 +00:00 · 42fcc7291f
commit 42fcc7291f
parent 21b127ef65
13 changed files with 34 additions and 156 deletions
--- a/userspace/engine/json_evt.h
+++ b/userspace/engine/json_evt.h
@ -48,7 +48,7 @@ public:
 	inline uint16_t get_type() const
 	{
 		// All k8s audit events have the single tag "1". - see falco_engine::process_k8s_audit_event
-		return 1;
+		return ppm_event_type::PPME_PLUGINEVENT_E;
 	}

 protected:
--- a/userspace/engine/rule_loader.cpp
+++ b/userspace/engine/rule_loader.cpp
@ -721,7 +721,7 @@ void rule_loader::compile_rule_infos(
 			}
 			
 			// populate set of event types and emit an special warning
-			set<uint16_t> evttypes;
+			set<uint16_t> evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
 			if(rule.source == falco_common::syscall_source)
 			{
 				filter_evttype_resolver().evttypes(ast, evttypes);
@ -734,16 +734,6 @@ void rule_loader::compile_rule_infos(
 						+ "    This has a significant performance penalty.");
 				}
 			}
-			else if (rule.source == "k8s_audit")
-			{
-				// todo(jasondellaluce): remove this case once k8saudit
-				// gets ported to a plugin
-				evttypes = { ppm_event_type::PPME_GENERIC_X };
-			}
-			else
-			{
-				evttypes = { ppm_event_type::PPME_PLUGINEVENT_E };
-			}

 			// add rule and its filter in the engine
 			cfg.engine->add_filter(filter, rule.name, rule.source, evttypes, rule.tags);
--- a/userspace/falco/app_actions/init_falco_engine.cpp
+++ b/userspace/falco/app_actions/init_falco_engine.cpp
@ -56,24 +56,19 @@ application::run_result application::init_falco_engine()

 	configure_output_format();

-	// Create "factories" that can create filters/formatters for
-	// syscalls and k8s audit events.
+	// Create "factories" that can create filters/formatters for syscalls

 	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
 	std::shared_ptr<gen_event_filter_factory> syscall_filter_factory(new sinsp_filter_factory(m_state->inspector.get()));
-	std::shared_ptr<gen_event_filter_factory> k8s_audit_filter_factory(new json_event_filter_factory());

 	// libs requires raw pointer, we should modify libs to use reference/shared_ptr
 	std::shared_ptr<gen_event_formatter_factory> syscall_formatter_factory(new sinsp_evt_formatter_factory(m_state->inspector.get()));
-	std::shared_ptr<gen_event_formatter_factory> k8s_audit_formatter_factory(new json_event_formatter_factory(k8s_audit_filter_factory));

 	m_state->syscall_source_idx = m_state->engine->add_source(application::s_syscall_source, syscall_filter_factory, syscall_formatter_factory);
-	m_state->k8s_audit_source_idx = m_state->engine->add_source(application::s_k8s_audit_source, k8s_audit_filter_factory, k8s_audit_formatter_factory);
-
+	
 	if(m_state->config->m_json_output)
 	{
 		syscall_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
-		k8s_audit_formatter_factory->set_output_format(gen_event_formatter::OF_JSON);
 	}

 	for(const auto &src : m_options.disable_sources)
@ -81,10 +76,10 @@ application::run_result application::init_falco_engine()
 		m_state->enabled_sources.erase(src);
 	}

-	// XXX/mstemm technically this isn't right, you could disable syscall *and* k8s_audit and configure a plugin.
+	// todo(jasondellaluce,leogr): change this once we attain multiple active source
 	if(m_state->enabled_sources.empty())
 	{
-		throw std::invalid_argument("The event source \"syscall\" and \"k8s_audit\" can not be disabled together");
+		throw std::invalid_argument("At least one event source needs to be enabled");
 	}

 	m_state->engine->set_min_priority(m_state->config->m_min_priority);
--- a/userspace/falco/app_actions/open_inspector.cpp
+++ b/userspace/falco/app_actions/open_inspector.cpp
@ -38,46 +38,10 @@ application::run_result application::open_inspector()
 		}
 		catch(sinsp_exception &e)
 		{
-			falco_logger::log(LOG_DEBUG, "Could not read trace file \"" + m_options.trace_filename + "\": " + string(e.what()));
-			m_state->trace_is_scap=false;
-		}
-
-		if(!m_state->trace_is_scap)
-		{
-#ifdef MINIMAL_BUILD
 			ret.success = false;
-			ret.errstr = "Cannot use k8s audit events trace file with a minimal Falco build";
+			ret.errstr = std::string("Could not open trace filename ") + m_options.trace_filename + " for reading: " + e.what();
 			ret.proceed = false;
 			return ret;
-#else
-			try {
-				string line;
-				nlohmann::json j;
-
-				// Note we only temporarily open the file here.
-				// The read file read loop will be later.
-				ifstream ifs(m_options.trace_filename);
-				getline(ifs, line);
-				j = nlohmann::json::parse(line);
-
-				falco_logger::log(LOG_INFO, "Reading k8s audit events from file: " + m_options.trace_filename + "\n");
-			}
-			catch (nlohmann::json::parse_error& e)
-			{
-				ret.success = false;
-				ret.errstr = std::string("Trace filename ") + m_options.trace_filename + " not recognized as system call events or k8s audit events";
-				ret.proceed = false;
-				return ret;
-
-			}
-			catch (exception &e)
-			{
-				ret.success = false;
-				ret.errstr = std::string("Could not open trace filename ") + m_options.trace_filename + " for reading: " + e.what();
-				ret.proceed = false;
-				return ret;
-			}
-#endif
 		}
 	}
 	else
@ -101,19 +65,14 @@ application::run_result application::open_inspector()
 		open_t open_f;

 		// Default mode: both event sources enabled
-		if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end() &&
-		    m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end())
+		if (m_state->enabled_sources.find(application::s_syscall_source) != m_state->enabled_sources.end())
 		{
 			open_f = open_cb;
 		}
-		if (m_state->enabled_sources.find(application::s_syscall_source) == m_state->enabled_sources.end())
+		else
 		{
 			open_f = open_nodriver_cb;
 		}
-		if (m_state->enabled_sources.find(application::s_k8s_audit_source) == m_state->enabled_sources.end())
-		{
-			open_f = open_cb;
-		}

 		try
 		{
--- a/userspace/falco/app_actions/process_events.cpp
+++ b/userspace/falco/app_actions/process_events.cpp
@ -31,35 +31,6 @@ limitations under the License.

 using namespace falco::app;

-#ifndef MINIMAL_BUILD
-// Read a jsonl file containing k8s audit events and pass each to the engine.
-void application::read_k8s_audit_trace_file(string &trace_filename)
-{
-	ifstream ifs(trace_filename);
-
-	uint64_t line_num = 0;
-
-	while(ifs)
-	{
-		string line, errstr;
-
-		getline(ifs, line);
-		line_num++;
-
-		if(line == "")
-		{
-			continue;
-		}
-
-		if(!k8s_audit_handler::accept_data(m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx, line, errstr))
-		{
-			falco_logger::log(LOG_ERR, "Could not read k8s audit event line #" + to_string(line_num) + ", \"" + line + "\": " + errstr + ", stopping");
-			return;
-		}
-	}
-}
-#endif
-
 //
 // Event processing loop
 //
@ -214,36 +185,24 @@ application::run_result application::process_events()

 	duration = ((double)clock()) / CLOCKS_PER_SEC;

-	if(!m_options.trace_filename.empty() && !m_state->trace_is_scap)
+	uint64_t num_evts = do_inspect(sdropmgr,
+					uint64_t(m_options.duration_to_tot*ONE_SECOND_IN_NS),
+					ret);
+
+	duration = ((double)clock()) / CLOCKS_PER_SEC - duration;
+
+	m_state->inspector->get_capture_stats(&cstats);
+
+	if(m_options.verbose)
 	{
-#ifndef MINIMAL_BUILD
-		read_k8s_audit_trace_file(m_options.trace_filename);
-#endif
-	}
-	else
-	{
-		uint64_t num_evts;
-
-		num_evts = do_inspect(sdropmgr,
-				      uint64_t(m_options.duration_to_tot*ONE_SECOND_IN_NS),
-				      ret);
-
-		duration = ((double)clock()) / CLOCKS_PER_SEC - duration;
-
-		m_state->inspector->get_capture_stats(&cstats);
-
-		if(m_options.verbose)
-		{
-			fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n",
-				cstats.n_evts,
-				cstats.n_drops);
-
-			fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n",
-				duration,
-				num_evts,
-				num_evts / duration);
-		}
+		fprintf(stderr, "Driver Events:%" PRIu64 "\nDriver Drops:%" PRIu64 "\n",
+			cstats.n_evts,
+			cstats.n_drops);

+		fprintf(stderr, "Elapsed time: %.3lf, Captured Events: %" PRIu64 ", %.2lf eps\n",
+			duration,
+			num_evts,
+			num_evts / duration);
 	}

 	// Honor -M also when using a trace file.
--- a/userspace/falco/app_actions/start_webserver.cpp
+++ b/userspace/falco/app_actions/start_webserver.cpp
@ -26,11 +26,10 @@ application::run_result application::start_webserver()
 {
 	run_result ret;

-	if(m_options.trace_filename.empty() && m_state->config->m_webserver_enabled && m_state->enabled_sources.find(application::s_k8s_audit_source) != m_state->enabled_sources.end())
+	if(m_state->config->m_webserver_enabled)
 	{
 		std::string ssl_option = (m_state->config->m_webserver_ssl_enabled ? " (SSL)" : "");
 		falco_logger::log(LOG_INFO, "Starting internal webserver, listening on port " + to_string(m_state->config->m_webserver_listen_port) + ssl_option + "\n");
-		m_state->webserver.init(m_state->config, m_state->engine, m_state->outputs, m_state->k8s_audit_source_idx);
 		m_state->webserver.start();
 	}

--- a/userspace/falco/app_cmdline_options.cpp
+++ b/userspace/falco/app_cmdline_options.cpp
@ -160,9 +160,9 @@ void cmdline_options::define()
 		("cri",                           "Path to CRI socket for container metadata. Use the specified socket to fetch data from a CRI-compatible runtime. If not specified, uses libs default. It can be passed multiple times to specify socket to be tried until a successful one is found.", cxxopts::value(cri_socket_paths), "<path>")
 		("d,daemon",                      "Run as a daemon.", cxxopts::value(daemon)->default_value("false"))
 		("disable-cri-async",             "Disable asynchronous CRI metadata fetching. This is useful to let the input event wait for the container metadata fetch to finish before moving forward. Async fetching, in some environments leads to empty fields for container metadata when the fetch is not fast enough to be completed asynchronously. This can have a performance penalty on your environment depending on the number of containers and the frequency at which they are created/started/stopped.", cxxopts::value(disable_cri_async)->default_value("false"))
-		("disable-source",                "Disable a specific event source. Available event sources are: syscall, k8s_audit, or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
+		("disable-source",                "Disable a specific event source. Available event sources are: syscall or any source from a configured source plugin. It can be passed multiple times. Can not disable all event sources.", cxxopts::value(disable_sources), "<event_source>")
 		("D",                             "Disable any rules with names having the substring <substring>. Can be specified multiple times. Can not be specified with -t.", cxxopts::value(disabled_rule_substrings), "<substring>")
-		("e",                             "Read the events from <events_file> (in .scap format for sinsp events, or jsonl for k8s audit events) instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
+		("e",                             "Read the events from <events_file> in .scap format instead of tapping into live.", cxxopts::value(trace_filename), "<events_file>")
 		("i",                             "Print all events that are ignored by default (i.e. without the -A flag) and exit.", cxxopts::value(print_ignored_events)->default_value("false"))
 #ifndef MINIMAL_BUILD
 		("k,k8s-api",                     "Enable Kubernetes support by connecting to the API server specified as argument. E.g. \"http://admin:password@127.0.0.1:8080\". The API server can also be specified via the environment variable FALCO_K8S_API.", cxxopts::value(k8s_api), "<url>")
@ -171,7 +171,7 @@ void cmdline_options::define()
 #endif
 		("L",                             "Show the name and description of all rules and exit.", cxxopts::value(describe_all_rules)->default_value("false"))
 		("l",                             "Show the name and description of the rule with name <rule> and exit.", cxxopts::value(describe_rule), "<rule>")
-		("list",                          "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\", \"k8s_audit\", or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
+		("list",                          "List all defined fields. If <source> is provided, only list those fields for the source <source>. Current values for <source> are \"syscall\" or any source from a configured source plugin.", cxxopts::value(list_source_fields)->implicit_value(""), "<source>")
 		("list-syscall-events",  		  "List all defined system call events.", cxxopts::value<bool>(list_syscall_events))
 #ifndef MUSL_OPTIMIZED
 		("list-plugins",                  "Print info on all loaded plugins and exit.", cxxopts::value(list_plugins)->default_value("false"))
--- a/userspace/falco/application.cpp
+++ b/userspace/falco/application.cpp
@ -30,7 +30,6 @@ namespace falco {
 namespace app {

 std::string application::s_syscall_source = falco_common::syscall_source;
-std::string application::s_k8s_audit_source = "k8s_audit";

 application::run_result::run_result()
 	: success(true), errstr(""), proceed(true)
@ -45,7 +44,7 @@ application::state::state()
 	: restart(false),
 	  terminate(false),
 	  reopen_outputs(false),
-	  enabled_sources({application::s_syscall_source, application::s_k8s_audit_source}),
+	  enabled_sources({application::s_syscall_source}),
 	  trace_is_scap(true)
 {
 	config = std::make_shared<falco_configuration>();
--- a/userspace/falco/application.h
+++ b/userspace/falco/application.h
@ -53,7 +53,6 @@ public:

 private:
 	static std::string s_syscall_source;
-	static std::string s_k8s_audit_source;

 	// Holds the state used and shared by the below methods that
 	// actually implement the application. Declared as a
@ -75,10 +74,8 @@ private:
 		std::shared_ptr<sinsp> inspector;
 		std::set<std::string> enabled_sources;

-		// The event sources that correspond to "syscalls" and
-		// "k8s_audit events".
+		// The event sources that correspond to "syscall"
 		std::size_t syscall_source_idx;
-		std::size_t k8s_audit_source_idx;

 		// The event source actually used to process events in
 		// process_events(). Will generally be
@ -99,7 +96,6 @@ private:

 		std::string cmdline;

-		bool trace_is_scap;
 #ifndef MINIMAL_BUILD
 		falco::grpc::server grpc_server;
 		std::thread grpc_server_thread;
@ -164,7 +160,6 @@ private:
 	void configure_output_format();
 	void check_for_ignored_events();
 	void print_all_ignored_events();
-	void read_k8s_audit_trace_file(string &trace_filename);
 	uint64_t do_inspect(syscall_evt_drop_mgr &sdropmgr,
 			    uint64_t duration_to_tot_ns,
 			    run_result &result);
--- a/userspace/falco/configuration.cpp
+++ b/userspace/falco/configuration.cpp
@ -36,7 +36,6 @@ falco_configuration::falco_configuration():
 	m_time_format_iso_8601(false),
 	m_webserver_enabled(false),
 	m_webserver_listen_port(8765),
-	m_webserver_k8s_audit_endpoint("/k8s-audit"),
 	m_webserver_k8s_healthz_endpoint("/healthz"),
 	m_webserver_ssl_enabled(false),
 	m_config(NULL)
@ -203,7 +202,6 @@ void falco_configuration::init(string conf_filename, const vector<string> &cmdli

 	m_webserver_enabled = m_config->get_scalar<bool>("webserver.enabled", false);
 	m_webserver_listen_port = m_config->get_scalar<uint32_t>("webserver.listen_port", 8765);
-	m_webserver_k8s_audit_endpoint = m_config->get_scalar<string>("webserver.k8s_audit_endpoint", "/k8s-audit");
 	m_webserver_k8s_healthz_endpoint = m_config->get_scalar<string>("webserver.k8s_healthz_endpoint", "/healthz");
 	m_webserver_ssl_enabled = m_config->get_scalar<bool>("webserver.ssl_enabled", false);
 	m_webserver_ssl_certificate = m_config->get_scalar<string>("webserver.ssl_certificate", "/etc/falco/falco.pem");
--- a/userspace/falco/configuration.h
+++ b/userspace/falco/configuration.h
@ -245,7 +245,6 @@ public:

 	bool m_webserver_enabled;
 	uint32_t m_webserver_listen_port;
-	std::string m_webserver_k8s_audit_endpoint;
 	std::string m_webserver_k8s_healthz_endpoint;
 	bool m_webserver_ssl_enabled;
 	std::string m_webserver_ssl_certificate;
--- a/userspace/falco/falco_outputs.cpp
+++ b/userspace/falco/falco_outputs.cpp
@ -155,27 +155,13 @@ void falco_outputs::handle_event(gen_event *evt, string &rule, string &source,
 	cmsg.rule = rule;

 	string sformat;
-	if(source != "k8s_audit")
+	if(m_time_format_iso_8601)
 	{
-		if(m_time_format_iso_8601)
-		{
-			sformat = "*%evt.time.iso8601: ";
-		}
-		else
-		{
-			sformat = "*%evt.time: ";
-		}
+		sformat = "*%evt.time.iso8601: ";
 	}
 	else
 	{
-		if(m_time_format_iso_8601)
-		{
-			sformat = "*%jevt.time.iso8601: ";
-		}
-		else
-		{
-			sformat = "*%jevt.time: ";
-		}
+		sformat = "*%evt.time: ";
 	}
 	sformat += falco_common::format_priority(priority);

--- a/userspace/falco/falco_outputs.h
+++ b/userspace/falco/falco_outputs.h
@ -20,7 +20,6 @@ limitations under the License.
 #include <map>

 #include "gen_filter.h"
-#include "json_evt.h"
 #include "falco_common.h"
 #include "token_bucket.h"
 #include "falco_engine.h"