github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-31 14:20:04 +00:00
Code Issues Projects Releases Wiki Activity
4,834 Commits 119 Branches 173 Tags
test/wip
Commit Graph

271 Commits

Author SHA1 Message Date
Mark Stemm
6488ea8456 (WIP) K8s Deployment to run event generator w k8s_audit 
Add a deployment yaml that allows running the event generator in a k8s
cluster:

 - Change the event generator to create/delete objects in a namespace
   "falco-eg-sandbox" instead of "falco-event-generator". That way you
   separate the generator from the resources it modifies (mostly, the
   exception being the rolebinding).
 - Create a serviceaccount, clusterrole, and rolebinding that allows the
   event generator to create/list/delete objects in the falco-eg-sandbox
   namespace. The list of permissions is fairly broad mostly so the
   event generator can delete all resources without explicitly naming
   them. The binding does limit permissions to the falco-eg-sandbox
   namespace, though.

A one-line way to run this would be:

kubectl create namespace falco-event-generator && \
  kubectl create namespace falco-eg-sandbox && \
  kubectl apply -f event-generator-role-rolebinding-serviceaccount.yaml && \
  kubectl apply -f event-generator-k8saudit-deployment.yaml

I haven't actually pushed a new docker image to replace the current
event generator yet--the deployment yaml refers to a placeholder
falcosecurity/falco-event-generator:eg-sandbox image. Once the review is
done I'll rebase this to change the image to latest before merging.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-03-12 13:12:40 +01:00
Mark Stemm
3fd67aa5c3 K8s Daemonset to run event generator w/ syscalls 
Add a Daemonset yaml that allows running the falco event generator on
syscalls. It will run on any non-master node.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-03-12 13:12:40 +01:00
Leonardo Di Donato
de5cd1ce6f update(docker): latest or explicit FALCO_VERSION for docker images via docker build argument 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-03-10 20:46:52 +01:00
Lorenzo Fontana
941313b1f1 fix(docker/minimal): untar of downloaded falco package 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-03-06 11:53:28 +01:00
Leonardo Di Donato
272bb59df4 update(docker): reorganize docker images with build arguments 
Using the VERSION_BUCKET build arguments at docker build time users can now choose from which Falco version to build them.

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Lorenzo Fontana
e9b5b815da new(docker/dev): update local dockerfile to use our own repositories 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-28 17:32:38 +01:00
Lorenzo Fontana
4e3a279e47 new(docker): update local to use our own repositories 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-28 17:32:38 +01:00
Lorenzo Fontana
9d6c714bdf update(docker/stable): use the new debian packages infrastructure 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
d6ed1ca39a fix(docker): falcosecurity sources list 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
5cdca39ae6 update(docker/stable): use the falcosecurity deb repo 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
1ec2f2cea3 update(docker/minimal): download falco binary 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
dfdd9693fc update(docker): slim images to use falcosecurity new repo and new GPG key 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
8415576097 update(docker/rhel): using the new falcosecurity repo and falcosecurity GPG key 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
b59e4b6072 chore(docker,cmake,scripts): correct maintainers email 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-28 17:32:38 +01:00
Leonardo Di Donato
2a739364d6 fix(docker): fix symbolic linking for /usrc/src inside docker images entrypoint 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-02-26 10:02:24 +01:00
Adrián Arroyo Calle
bcfc1fc9ff fix: indentation 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2020-02-26 10:02:24 +01:00
Adrián Arroyo Calle
3eb634d49f fix: entrypoint now uses base path 
Signed-off-by: Adrián Arroyo Calle <adrian.arroyocalle@gmail.com>
 2020-02-26 10:02:24 +01:00
Kris Nova
9eeed5912b Updating falco:local 
- Using `debian:stable` for the local image as well

Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-02-25 13:21:23 +01:00
Kris Nova
5c294bacc7 Fixing falco:stable image 
- Updating stable image to pull from `debian:stable`
 - Updating maintainer label in all Dockerfiles to include `LABEL maintainer="cncf-falco-dev@lists.cncf.io"`

Signed-off-by: Kris Nova <kris@nivenly.com>
 2020-02-25 13:21:23 +01:00
rajibmitra
d77080a8c2 update: changelog 0.20.0 
Signed-off-by: rajibmitra <fiorm.github@gmail.com>
 2020-02-24 11:05:15 +01:00
Leonardo Di Donato
a1d6a4762e fix(docker/minimal): libyaml 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-24 11:53:02 +01:00
Leonardo Di Donato
24549e163a update(docker): switch to 0.19.0 
Co-authored-by: Lorenzo Fontana <fontanalorenzo@me.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:32:47 +01:00
Leonardo Di Donato
f3dcacea5b fix(docker/tester): share rules and trace files with docker test runners 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
cf803759ef fix(docker/tester): falco-tester does not have to check for docker/local anymore 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
347b581d95 chore: cleanup docker test runners 
Co-Authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
c96248e4fc chore(integration): libyaml in tester docker file for deb packages 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
c7b8d6123a chore(integration): add dkms to docker test deb runner 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
46181a7336 update(integration): rpm tester docker image 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
6bd4c3a041 update(integration): falco tester entrypoint 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Lorenzo Fontana
6d737c1def new(integration): docker deb runner 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-23 15:04:39 +01:00
Leonardo Di Donato
12a86d33ef fix(docker/builder): add llvm toolset back to falco-builder 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
55364405aa chore(docker/builder): remove unneded layer 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
077fbea0a7 update(docker/builder): back to centos:7 as base image 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-21 12:51:50 +01:00
Leonardo Di Donato
182c07a31f update: force deps to always use the system openssl 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-20 13:59:24 +01:00
Leonardo Di Donato
77d23d2cc6 update(docker/tester): switch to fedora:31 
Co-Authored-By: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
521c3198bd build(docker/builder): vanilla CentOS 8 for the builder 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
56885f8810 build(docker/tester): remove openssl compat libraries 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Leonardo Di Donato
9a3c98d93b fix(docker/local): adding libyaml 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
d8c21ef837 build(docker/tester): rename prepare artifacts step 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
b8335b510d build: falco tester automatic version 
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Leonardo Di Donato
eef9c8c8e1 update(docker/builder): having a sibling sysdig deps directory is no 
more needed

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
50af72c393 build(docker/builder): adapt entrypoint to the new dependencies 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Lorenzo Fontana
f567172bff update(docker/builder): install build dependencies in builder 
Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
Signed-off-by: Lorenzo Fontana <lo@linux.com>
 2020-01-17 19:09:31 +01:00
Mark Stemm
09cdc857c1 Fix compile warnings 
Noticed these while compiling in the latest alpine image.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-01-15 09:35:28 +01:00
Mark Stemm
c3f7d15e26 Add k8s audit support to falco event generator 
Currently, the falco event generator only generates system call
activity. This adds support for k8s_audit events by adding a script +
supporting k8s object files that generate activity that matches the k8s
audit event ruleset.

The main script is k8s_event_generator.sh, which loops over the files in
the yaml subdirectory, running kubectl apply -f for each.

In the interests of keeping things self-contained, all objects are
created in a `falco-event-generator` namespace. This means that some
activity related with cluster roles/cluster role bindings is not
performed.

Each k8s object has annotations that note:

1. The specific falco rules that should trigger.
2. A user-friendly message to print when apply-ing the file.

You can provide a specific rule name to the script. If provided, only
those objects related to that rule will trigger. The default is "all",
meaning that all objects are created.

The script loops forever, deleting the falco-event-generator namespace
after each iteration.

Additionally, the docker image has been updated to also copy the script
+ supporting files, as well as fetching the latest available `kubectl`
binary. The entrypoint is now a script that allows choosing between:
 - syscall activity: run with .... "syscall"
 - k8s_audit activity: run with .... "k8s_audit"
 - spawn a shell: run with .... "bash"

The default is "syscall" to preserve existing behavior.

In most cases, you'll need to provide kube config
files/directories that allow access to your cluster. A
command like the following will work:

```
docker run -v $HOME/.kube:/root/.kube -it falcosecurity/falco-event-generator
k8s_audit
```

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
 2020-01-15 09:35:28 +01:00
Leonardo Di Donato
28fa4a72e8 docs(docker/builder): usage reports clang version too 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
ac4f089903 update(docker/builder): add llvm-toolset-7 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-12-13 13:04:23 +01:00
Leonardo Di Donato
a200d17581 chore: improving naming 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
514d8bacc3 update(docker): introduce SKIP_MODULE_LOAD env variable 
Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00
Leonardo Di Donato
3e9ebfb354 fix(docker): adapt dockerfiles to HOST_ROOT env var 
Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
 2019-11-14 10:00:36 -08:00