Use deployment instead of daemonset for k8s audit

[benjaminhuo]

What would you like to be added:
Use deployment instead of daemonset for k8s audit

Why is this needed:
Daemonset is more than enough for just monitoring k8s audit event, a deployment should be enough.
Just wondering if it's possible to use deployment for k8s audit event monitoring with falco?

[fntlnz]

@benjaminhuo You are totally right, for those that only wants to use audit events using a deployment only is enough.

It will require:

• A specific yaml file for the deployment
• Make clear in the docs that for those that only want the audit they should use that one
• Make clear in the docs to only load rules for audit events since syscalls will be from the current machine only.

This would also open the point of whether we should make the syscall collection optional.

[benjaminhuo]

I'll see I can help on this

[benjaminhuo]

I've created a PR for this.
When testing my PR, I found below error if I remove the /host/xx mountpoint and hostPath volumes and then change the args to args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://$(KUBERNETES_SERVICE_HOST)", "-pk"].

So I've to add it back again. Just wondering how can I remove these safely?

kubectl logs falco-k8s-audit-745c7cbfdb-kp7wb 
* Setting up /usr/src links from host
ls: cannot access '/host/usr/src': No such file or directory
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.4.0-148-generic cannot be found at
/lib/modules/4.4.0-148-generic/build or /lib/modules/4.4.0-148-generic/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.15.3/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.4.0-148-generic
Cannot find kernel config
Thu Jul 18 11:39:45 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Thu Jul 18 11:39:45 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Thu Jul 18 11:39:45 2019: Unable to load the driver. Exiting.
Thu Jul 18 11:39:45 2019: Runtime error: error opening device /host/dev/falco0. Make sure you have root credentials and that the falco-probe module is loaded.. Exiting.

[leodido]

At the moment we cannot remove /host since Falco needs the module by default.

Infact we are in the process of providing a flag to disable this behaviour (#730).

[benjaminhuo]

A flag will be great to switch between these two features 👍

[fntlnz]

Can't wait to see that flag in place, having only audits is a very common use case many people are reporting.

[fntlnz]

This can be done now that #779 is in place !

[quanvuminh]

I still got the error with the latest version (0.18.0). I used the same manifest here

# kubectl logs falco-k8s-audit-5dd687df6b-4mvbr
* Setting up /usr/src links from host
ls: cannot access '/host/usr/src': No such file or directory
* Unloading falco-probe, if present
* Running dkms install for falco
Error! echo
Your kernel headers for kernel 4.9.0-5-amd64 cannot be found at
/lib/modules/4.9.0-5-amd64/build or /lib/modules/4.9.0-5-amd64/source.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/0.18.0/build/make.log
* Trying to load a system falco-probe, if present
* Trying to find precompiled falco-probe for 4.9.0-5-amd64
Cannot find kernel config
Fri Nov  8 04:32:04 2019: Falco initialized with configuration file /etc/falco/falco.yaml
Fri Nov  8 04:32:04 2019: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Fri Nov  8 04:32:04 2019: Unable to load the driver. Exiting.
Fri Nov  8 04:32:04 2019: Runtime error: error creating the process list. Make sure you have root credentials.. Exiting.

Please help.

[fntlnz]

@quanvuminh can you please open an your own issue with this? This particular work had been done and it's easier for us to help you with a specific issue on that.

[quanvuminh]

@fntlnz Thanks, I created new issue #936