Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The falco-cluster-role ClusterRole is missing the watch privileges on resources in the apps API group #1064

Closed
JPLachance opened this issue Feb 26, 2020 · 0 comments · Fixed by #1136
Closed

The falco-cluster-role ClusterRole is missing the watch privileges on resources in the apps API group #1064

JPLachance opened this issue Feb 26, 2020 · 0 comments · Fixed by #1136
Labels
kind/bug

Comments

@JPLachance
Copy link
Contributor

Describe the bug

In falco/integrations/k8s-using-daemonset/k8s-with-rbac/falco-account.yaml, we create a ClusterRole for the Falco ServiceAccount. I reviewed our kube audit logs and saw that Falco was getting an access denied on:

  • watch /apis/apps/v1/watch/deployments?pretty=false
  • watch /apis/apps/v1/watch/replicasets?pretty=false
  • watch /apis/apps/v1/watch/daemonsets?pretty=false

Falco tries those call over and over again which floods audit logs and I'm quite sure Falco is not working as expected without that privilege.

How to reproduce it

Expected behaviour
Falco should not receive a 403.

Environment

  • Falco version: 0.18.0
  • System info: Ubuntu, EKS
  • Installation method: Kubernetes - EKS

Additional context

Please note that we also need to update the Helm chart.
JPLachance added a commit to JPLachance/falco that referenced this issue Apr 8, 2020
@JPLachance
fix(falco-cluster-role): Add missing privileges for the apps Kubernet…
6548749 
…es API group

Fixes falcosecurity#1064

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
@JPLachance JPLachance mentioned this issue Apr 8, 2020
Merged
poiana pushed a commit that referenced this issue Apr 16, 2020
@JPLachance @poiana
fix(falco-cluster-role): Add missing privileges for the apps Kubernet…
ad4b8d4 
…es API group

Fixes #1064

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add missing privileges for the apps Kubernetes API group JPLachance/falco
1 participant
@JPLachance