Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address rules fps may #1230

Merged
merged 5 commits into from
May 21, 2020
Merged

Address rules fps may #1230

merged 5 commits into from
May 21, 2020

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented May 20, 2020

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(macro trusted_logging_images): Add addl fluentd image
rule(macro trusted_logging_images): Let azure-npm image write to /var/log
rule(macro lvprogs_writing_conf): Add lvs as a lvm program
rule(macro user_known_k8s_client_container): Allow hcp-tunnelfront to run kubectl in containers
rule(list allowed_k8s_users): Add vertical pod autoscaler as known k8s users

mstemm added 3 commits May 20, 2020 13:47
Openshift specific variant, example alert:

---
Log files were tampered (user=root command=fluentd /usr/bin/fluentd
--no-supervisor file=/var/log/journal.pos CID1 image=registry.redhat.io/openshift3/ose-logging-fluentd)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…/log

"The Azure's NPM is a a daemonset that supports network policies as
defined by the Kubernetes policy specification."

Example event:

---
Log files were tampered (user=root command=azure-npm
file=/var/log/iptables.conf CID1 image=mcr.microsoft.com/containernetworking/azure-npm)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Example event. I'm pretty sure the full file in this case is /etc/lvm/cache:

---
File below /etc opened for writing (user=root command=lvs --noheadings
--readonly --separator=";" -a -o
lv_tags,lv_path,lv_name,vg_name,lv_uuid,lv_size parent=ceph-volume
pcmdline=ceph-volume /usr/sbin/ceph-volume inventory --format json file=/etc/lvm/c...
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>

condition: >
(k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
container.image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

container.image -> container.image.repository

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fixed.

(k8s.ns.name="kube-system" and container.image.repository=k8s.gcr.io/fluentd-gcp-scaler) or
container.image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front

- macro: user_known_k8s_client_container_parens
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this macro used by any rule?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh sorry, I was editing things and missed this. I wanted to replace the use of user_known_k8s_client_container in the rule's condition. Fixed.

@mstemm mstemm force-pushed the address-rules-fps-may branch from a9305c1 to 79dcf01 Compare May 20, 2020 23:29
mstemm added 2 commits May 20, 2020 16:33
…run kubectl in containers

https://stackoverflow.com/questions/50349586/what-is-hcp-tunnelfront

Example alert:

---
Docker or kubernetes client executed in container (user=root
parent=run-tunnel-fron cmdline=kubectl
--kubeconfig=/etc/kubernetes/kubeconfig/kubeconfig get secret
tunnelfront --namespace=kube-system --output json --ignore-not-found
image=mcr.microsoft.com/aks/hcp/hcp-tunnel-front)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
…s users

https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler

Example alert:
---
K8s Operation performed by user not in allowed list of
users (user=vpa-recommender target=vpa-recommender/endpoints verb=update
uri=core/v1/namespaces/kube-system/endpoints/vpa-recommender resp=200)

K8s Operation performed by user not in allowed list of
users (user=vpa-updater target=vpa-updater/endpoints verb=update
uri=core/v1/namespaces/kube-system/endpoints/vpa-updater resp=200)
---

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm mstemm force-pushed the address-rules-fps-may branch from 79dcf01 to 048b33a Compare May 20, 2020 23:35
@poiana poiana added the lgtm label May 20, 2020
@poiana
Copy link
Contributor

poiana commented May 20, 2020

LGTM label has been added.

Git tree hash: 1673498b65fd0390f1e810c33b3683543507c84b

@poiana
Copy link
Contributor

poiana commented May 21, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit d1c9aae into master May 21, 2020
@poiana poiana deleted the address-rules-fps-may branch May 21, 2020 08:58
@leodido leodido added this to the 0.24.0 milestone Jun 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants