mirror of
https://github.com/falcosecurity/falco.git
synced 2026-04-05 19:42:21 +00:00
4c576f31f2
Currently, the json object POSTed to the /k8s_audit endpoint is assumed to be an obect, with a "type" of either "Event" or "EventList". When the K8s API Server POSTs events, it aggregates them into an EventList, ensuring that there is always a single object. However, we're going to add some intermediate tools that tail log files and send them to the endpoint, and the easiest way to send a batch of events is to pass them as a json array instead of a single object. To properly handle this, modify parse_k8s_audit_event_json to also handle a json array. For arrays, it iterates over the objects, calling parse_k8s_audit_json recursively. This only iterates an initial top level array to avoid excessive recursion/attacks involving degenerate json objects with excessively nested arrays. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
9.5 KiB
9.5 KiB