Add k8s deployment yaml files for audit purpose only

[benjaminhuo]

Signed-off-by: Benjamin benjamin@yunify.com

What type of PR is this?

/kind cleanup
/kind documentation

Any specific area of the project related to this PR?

/area integrations

What this PR does / why we need it:

DaemonSet is more than enough for just monitoring k8s audit event, a deployment should be enough.

Which issue(s) this PR fixes:

Fixes #725

Special notes for your reviewer:

Does this PR introduce a user-facing change?:
Yes

Deployment YAML files for Kubernetes Audit only purpose.

[benjaminhuo]

/assign @mstemm

[leodido]

Thanks for sending this PR, really appreciated! 🤗

A few initial observations.

Currently we have integrations/k8s-using-daemonset directory.
The integrations directory probably needs a re-organization.
Just to be in pair with the current structure can we put this integration under integrations/k8s-using-deployment?

Furthermore atm I think that falco-k8s-audit.yaml config file is not something that have to be in the root of the source.

[benjaminhuo]

Thanks for sending this PR, really appreciated! 🤗

A few initial observations.

Currently we have integrations/k8s-using-daemonset directory.
The integrations directory probably needs a re-organization.
Just to be in pair with the current structure can we put this integration under integrations/k8s-using-deployment?

Furthermore atm I think that falco-k8s-audit.yaml config file is not something that have to be in the root of the source.

I've made corresponding changes per your suggestions.
One more question, I tried to remove more options from falco.yaml for k8s audit only but I'm not sure which options I should remove and would like to know your suggestions :)

Maybe syscall_event_drops section should be removed and syslog_output could be set to false?

[fntlnz]

@mfdii PTAL

[leodido]

/hold

blocked by #730

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[fntlnz]

I think that this can now be accomplished since #730 had been done (but not released yet).
@benjaminhuo let me know if you need assistance with it.

[benjaminhuo]

@fntlnz I've modified my PR to add the new --disable-source flag and removed some extra config and rule files.

Would you help to review this ?

Thanks
Ben

[fntlnz]

Looking again! 👀

/assign @fntlnz
/assign @leodido

[fntlnz]

Thanks for doing this! Just a couple of nits then we are good to go!

[fntlnz]

ok @benjaminhuo we are just waiting for you to accept the renaming changes then we can merge this!

[leodido]

Can you pick the suggestions or give us access to our fork?

In that way we could edit this PR and merge it! :)

[benjaminhuo]

@leodido @fntlnz , Sorry I missed your comments and I've accepted the change now.

Regards,
Ben

[benjaminhuo]

I've merged your suggestions and force pushed the new changes

[leodido]

🎉

[poiana]

LGTM label has been added.

Git tree hash: 6ab2904d1126e329e76904da8d5d9f49a57821ff

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leodido]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[leodido]

/hold cancel