Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

falco - nginx-ingress alert #1105

Closed
crssnd opened this issue Aug 9, 2022 · 2 comments
Closed

falco - nginx-ingress alert #1105

crssnd opened this issue Aug 9, 2022 · 2 comments
Assignees
@ayoubeddafali
Labels
app/falco Falco - Intrusion Detection kind/investigation Investigating something new, should result in new issues and/or documentation

Comments

@crssnd
Copy link
Contributor

crssnd commented Aug 9, 2022
edited
Loading

Describe the bug
Falco is generating the below ingress-nginx alerts on a test cluster setup:

{"output":"19:08:45.554856659: Notice Disallowed inbound connection source (command=nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true connection=172.16.0.45:45370->10.243.152.88:10254 user= user_loginuid=-1 container_id=5cece image=sha256) k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-sxqtf container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece","priority":"Notice","rule":"Unexpected inbound connection source","source":"syscall","tags":["network"],"time":"2022-08-06T19:08:45.554856659Z", "output_fields": {"container.id":"5cece","container.image.repository":"sha256","evt.time":1659812925554856659,"fd.name":"172.16.0.45:45370->10.243.152.88:10254","k8s.ns.name":"ingress-nginx","k8s.pod.name":"ingress-nginx-controller","proc.cmdline":"nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true","user.loginuid":-1,"user.name":null}}

{"output":"08:24:25.803340418: Notice Unexpected connection to K8s API Server from container (command=nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 image=sha256:75bdf connection=10.244.66.56:36870->10.244.0.4:443) k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99","priority":"Notice","rule":"Contact K8S API Server From Container","source":"syscall","tags":["container","k8s","mitre_discovery","network"],"time":"2022-08-11T08:24:25.803340418Z", "output_fields": {"container.id":"66cad4d99","container.image.repository":"sha256","container.image.tag":"75bdf78d9d67","evt.time":166020,"fd.name":"10.244.66.56:36870->10.244.0.4:443","k8s.ns.name":"ingress-nginx","k8s.pod.name":"ingress-nginx-controller-tf84f","proc.cmdline":"nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true"}}

Expected behaviour
Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.

Definition of Done

  • wait until we complete the falco v0.33 upgrade task
  • check if the alert is still present (check after 24h or 48h)
  • if still there investigate the issue and propose a solution
@crssnd crssnd added the kind/investigation Investigating something new, should result in new issues and/or documentation label Aug 9, 2022
@crssnd crssnd mentioned this issue Aug 9, 2022
Merged
12 tasks
@crssnd crssnd added the app/falco Falco - Intrusion Detection label Aug 17, 2022
@ayoubeddafali
Copy link
Contributor

Did the falco upgrade, alert not present after 60hrs

@ayoubeddafali
Copy link
Contributor

Seems like this rule has been disabled by default on upstream : falcosecurity/falco#2168, on release 0.33 of falco

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ayoubeddafali ayoubeddafali

Labels
app/falco Falco - Intrusion Detection kind/investigation Investigating something new, should result in new issues and/or documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ayoubeddafali @crssnd