Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new actionner kubernetes:sysdig #566

Merged
merged 3 commits into from
Jan 21, 2025
Merged

new actionner kubernetes:sysdig #566

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
95ec850
new actionner kubernetes:sysdig
Issif Jan 10, 2025
4d35545
add new log line for the status in_progress of the actions
Issif Jan 20, 2025
d0f43fc
change the GetPodName/Namespace method to use k8s_audit source
Issif Jan 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 26 additions & 19 deletions actionners/actionners.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (
k8sLog "github.com/falcosecurity/falco-talon/actionners/kubernetes/log"
k8sNetworkpolicy "github.com/falcosecurity/falco-talon/actionners/kubernetes/networkpolicy"
k8sScript "github.com/falcosecurity/falco-talon/actionners/kubernetes/script"
k8sSysdig "github.com/falcosecurity/falco-talon/actionners/kubernetes/sysdig"
k8sTcpdump "github.com/falcosecurity/falco-talon/actionners/kubernetes/tcpdump"
k8sTerminate "github.com/falcosecurity/falco-talon/actionners/kubernetes/terminate"
"github.com/falcosecurity/falco-talon/configuration"
Expand Down Expand Up @@ -83,6 +84,7 @@ func ListDefaultActionners() *Actionners {
k8sDrain.Register(),
k8sDownload.Register(),
k8sTcpdump.Register(),
k8sSysdig.Register(),
lambdaInvoke.Register(),
gcpFunctionCall.Register(),
calicoNetworkpolicy.Register(),
Expand Down Expand Up @@ -110,7 +112,7 @@ func Init() error {
for _, actionner := range *defaultActionners {
if category == actionner.Information().Category {
if err := actionner.Init(); err != nil {
utils.PrintLog("error", utils.LogLine{Message: "init", Error: err.Error(), Category: actionner.Information().Category, Status: utils.FailureStr})
utils.PrintLog(utils.ErrorStr, utils.LogLine{Message: "init", Error: err.Error(), Category: actionner.Information().Category, Status: utils.FailureStr})
return err
}
enabledCategories[category] = true
Expand Down Expand Up @@ -174,15 +176,15 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve

if rule.DryRun == trueStr {
log.Output = "no action, dry-run is enabled"
utils.PrintLog("info", log)
utils.PrintLog(utils.InfoStr, log)
return err
}

actionner := actionners.FindActionner(action.GetActionner())
if actionner == nil {
log.Status = utils.FailureStr
log.Error = fmt.Sprintf("unknown actionner '%v'", action.GetActionner())
utils.PrintLog("error", log)
utils.PrintLog(utils.ErrorStr, log)
return fmt.Errorf("unknown actionner '%v'", action.GetActionner())
}

Expand All @@ -192,7 +194,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
if err2 := actionner.Checks(event, action); err2 != nil {
log.Status = utils.FailureStr
log.Error = err2.Error()
utils.PrintLog("error", log)
utils.PrintLog(utils.ErrorStr, log)
span.SetStatus(codes.Error, err2.Error())
span.RecordError(err2)
span.End()
Expand Down Expand Up @@ -223,6 +225,11 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
trace.WithAttributes(attribute.String("actionner.name", action.GetActionnerName())),
)
defer span.End()

logP := log
logP.Status = utils.InProgressStr
utils.PrintLog(utils.InfoStr, logP)

result, data, err := actionner.Run(event, action)
span.SetAttributes(attribute.String("action.result", result.Status))
span.SetAttributes(attribute.String("action.output", result.Output))
Expand Down Expand Up @@ -255,15 +262,15 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
log.Error = err.Error()
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
utils.PrintLog("error", log)
utils.PrintLog(utils.ErrorStr, log)
go notifiers.Notify(actx, rule, action, event, log)
return err
}
log.Status = utils.SuccessStr
span.AddEvent(result.Output)
span.SetStatus(codes.Ok, "action successfully completed")

utils.PrintLog("info", log)
utils.PrintLog(utils.InfoStr, log)
go notifiers.Notify(actx, rule, action, event, log)

if actionner.Information().RequireOutput {
Expand All @@ -280,7 +287,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
logO.Status = utils.FailureStr
logO.Error = err.Error()
logO.OutputTarget = "n/a"
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
metrics.IncreaseCounter(logO)
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
Expand All @@ -293,7 +300,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
err = fmt.Errorf("empty output")
logO.Status = utils.FailureStr
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
metrics.IncreaseCounter(logO)
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
Expand All @@ -309,7 +316,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
logO.Status = utils.FailureStr
logO.OutputTarget = target
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
metrics.IncreaseCounter(logO)
span.SetAttributes(attribute.String("output.target", target))
span.SetStatus(codes.Error, err.Error())
Expand All @@ -329,7 +336,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
if err2 := o.Checks(output); err2 != nil {
logO.Status = utils.FailureStr
logO.Error = err2.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
metrics.IncreaseCounter(logO)
span.SetStatus(codes.Error, err2.Error())
span.RecordError(err2)
Expand All @@ -355,7 +362,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve

if err != nil {
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
go notifiers.Notify(octx, rule, action, event, logO)
Expand All @@ -365,7 +372,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
span.SetStatus(codes.Ok, "output successfully completed")
span.AddEvent(result.Output)

utils.PrintLog("info", logO)
utils.PrintLog(utils.InfoStr, logO)
go notifiers.Notify(octx, rule, action, event, logO)
span.End()
return nil
Expand All @@ -388,7 +395,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
logO.OutputTarget = target
logO.Status = utils.FailureStr
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
span.SetAttributes(attribute.String("output.target", target))
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
Expand All @@ -408,7 +415,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
err = fmt.Errorf("empty output")
logO.Status = utils.FailureStr
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
metrics.IncreaseCounter(logO)
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
Expand All @@ -434,7 +441,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve

if err != nil {
logO.Error = err.Error()
utils.PrintLog("error", logO)
utils.PrintLog(utils.ErrorStr, logO)
span.SetStatus(codes.Error, err.Error())
span.RecordError(err)
go notifiers.Notify(octx, rule, action, event, logO)
Expand All @@ -444,7 +451,7 @@ func runAction(mctx context.Context, rule *rules.Rule, action *rules.Action, eve
span.SetStatus(codes.Ok, "output successfully completed")
span.AddEvent(result.Output)

utils.PrintLog("info", logO)
utils.PrintLog(utils.InfoStr, logO)
go notifiers.Notify(octx, rule, action, event, logO)
span.End()
return nil
Expand Down Expand Up @@ -490,7 +497,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
}

if !config.PrintAllEvents {
utils.PrintLog("info", log)
utils.PrintLog(utils.InfoStr, log)
}

for _, i := range triggeredRules {
Expand All @@ -510,7 +517,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
span.SetStatus(codes.Ok, "match detected")
span.End()

utils.PrintLog("info", log)
utils.PrintLog(utils.InfoStr, log)
metrics.IncreaseCounter(log)

for _, a := range i.GetActions() {
Expand All @@ -531,7 +538,7 @@ func StartConsumer(eventsC <-chan nats.MessageWithContext) {
TraceID: e.TraceID,
Error: err.Error(),
}
utils.PrintLog("error", log)
utils.PrintLog(utils.ErrorStr, log)
if a.IgnoreErrors != trueStr {
break
}
Expand Down
8 changes: 4 additions & 4 deletions actionners/cilium/networkpolicy/networkpolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,11 +80,11 @@ rules:
actionner: cilium:networkpolicy
parameters:
allow_cidr:
- "192.168.1.0/24"
- "172.17.0.0/16"
- "192.168.1.0/24"
- "172.17.0.0/16"
allow_namespaces:
- "green-ns"
- "blue-ns"
- "green-ns"
- "blue-ns"
`
)

Expand Down
6 changes: 3 additions & 3 deletions actionners/gcp/function/function.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,16 @@ const (
AllowOutput bool = false
RequireOutput bool = false
Permissions string = `{
"cloudfunctions.functions.get",
"cloudfunctions.functions.invoke"
"cloudfunctions.functions.get",
"cloudfunctions.functions.invoke"
}`
Example string = `- action: Invoke GCP Cloud Function
actionner: gcp:function
parameters:
gcp_function_name: sample-function
gcp_function_location: us-central1
gcp_function_timeout: 10
`
`
)

var (
Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/annotation/annotation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ const (
Name string = "annotation"
Category string = "kubernetes"
Description string = "Add, modify or delete the annotations of the pod/node"
Source string = "syscalls"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = false
AllowOutput bool = false
Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/cordon/cordon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ const (
Name string = "cordon"
Category string = "kubernetes"
Description string = "Cordon a node"
Source string = "syscalls"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = false
AllowOutput bool = false
Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/delete/delete.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ const (
Name string = "delete"
Category string = "kubernetes"
Description string = "Delete a resource"
Source string = "k8saudit"
Source string = "k8s_audit"
Continue bool = false
UseContext bool = false
AllowOutput bool = false
Expand Down
27 changes: 13 additions & 14 deletions actionners/kubernetes/drain/drain.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
package drain

import (
"context"
"fmt"
"sync"
"sync/atomic"
Expand All @@ -24,8 +23,8 @@ import (
const (
Name string = "drain"
Category string = "kubernetes"
Description string = "Drain a pod"
Source string = "syscalls"
Description string = "Drain a node"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = false
AllowOutput bool = false
Expand Down Expand Up @@ -119,7 +118,7 @@ func (a Actionner) Run(event *events.Event, action *rules.Action) (utils.LogLine
return a.RunWithClient(*client, event, action)
}

func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, action *rules.Action) (utils.LogLine, *models.Data, error) {
func (a Actionner) RunWithClient(client k8s.Client, event *events.Event, action *rules.Action) (utils.LogLine, *models.Data, error) {
podName := event.GetPodName()
namespace := event.GetNamespaceName()
objects := map[string]string{}
Expand Down Expand Up @@ -158,7 +157,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
nodeName := node.GetName()
objects["node"] = nodeName

pods, err := client.ListPods(context.Background(), metav1.ListOptions{
pods, err := client.ListPods(metav1.ListOptions{
IgorEulalio marked this conversation as resolved.
Show resolved Hide resolved
FieldSelector: fmt.Sprintf("spec.nodeName=%s", nodeName),
})
if err != nil {
Expand Down Expand Up @@ -188,11 +187,11 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
case <-stopListingDone:
return
case <-ticker.C:
pods2, err2 := client.ListPods(context.Background(), metav1.ListOptions{
pods2, err2 := client.ListPods(metav1.ListOptions{
FieldSelector: fmt.Sprintf("spec.nodeName=%s", nodeName),
})
if err2 != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error listing pods on node '%v': %v", nodeName, err2)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error listing pods on node '%v': %v", nodeName, err2)})
continue
}

Expand Down Expand Up @@ -235,28 +234,28 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
case utils.ReplicaSetStr:
replicaSetName, err := k8s.GetOwnerName(p)
if err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting pod owner name: %v", err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting pod owner name: %v", err)})
atomic.AddInt32(&otherErrorsCount, 1)
return
}
if parameters.MinHealthyReplicas != "" {
replicaSet, err := client.GetReplicaSet(replicaSetName, p.Namespace)
if err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting replica set for pod '%v': %v", p.Name, err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting replica set for pod '%v': %v", p.Name, err)})
atomic.AddInt32(&otherErrorsCount, 1)
return
}
minHealthyReplicasValue, kind, err := helpers.ParseMinHealthyReplicas(parameters.MinHealthyReplicas)
if err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error parsing min_healthy_replicas: %v", err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error parsing min_healthy_replicas: %v", err)})
atomic.AddInt32(&otherErrorsCount, 1)
return
}
switch kind {
case "absolut":
healthyReplicasCount, err := k8s.GetHealthyReplicasCount(replicaSet)
if err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
atomic.AddInt32(&otherErrorsCount, 1)
return
}
Expand All @@ -268,7 +267,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
healthyReplicasValue, err := k8s.GetHealthyReplicasCount(replicaSet)
minHealthyReplicasAbsoluteValue := int64(float64(minHealthyReplicasValue) / 100.0 * float64(healthyReplicasValue))
if err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error getting health replicas count for pod '%v': %v", p.Name, err)})
atomic.AddInt32(&otherErrorsCount, 1)
return
}
Expand All @@ -281,7 +280,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
}

if err := client.EvictPod(p); err != nil {
utils.PrintLog("warning", utils.LogLine{Message: fmt.Sprintf("error evicting pod '%v': %v", p.Name, err)})
utils.PrintLog(utils.WarningStr, utils.LogLine{Message: fmt.Sprintf("error evicting pod '%v': %v", p.Name, err)})
atomic.AddInt32(&evictionErrorsCount, 1)
return
}
Expand All @@ -294,7 +293,7 @@ func (a Actionner) RunWithClient(client k8s.DrainClient, event *events.Event, ac
for {
select {
case <-timeout:
utils.PrintLog("error", utils.LogLine{Message: fmt.Sprintf("pod '%v' did not terminate within the max_wait_period", pod.Name)})
utils.PrintLog(utils.ErrorStr, utils.LogLine{Message: fmt.Sprintf("pod '%v' did not terminate within the max_wait_period", pod.Name)})
atomic.AddInt32(&evictionWaitPeriodErrorsCount, 1)
return

Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/exec/exec.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ const (
Name string = "exec"
Category string = "kubernetes"
Description string = "Exec a command in a pod"
Source string = "syscalls"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = true
AllowOutput bool = false
Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/label/label.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ const (
Name string = "label"
Category string = "kubernetes"
Description string = "Add, modify or delete the labels of the pod/node"
Source string = "syscalls"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = false
AllowOutput bool = false
Expand Down
2 changes: 1 addition & 1 deletion actionners/kubernetes/log/log.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ const (
Name string = "log"
Category string = "kubernetes"
Description string = "Get logs from a pod"
Source string = "syscalls"
Source string = "syscalls, k8s_audit"
Continue bool = true
UseContext bool = false
AllowOutput bool = true
Expand Down
Loading
Loading