rule update: modify rule to detect connection to K8S API Server from a container

[rung]

Signed-off-by: Hiroki Suezawa suezawa@gmail.com

What type of PR is this?
/kind rule-update

Any specific area of the project related to this PR?
/area rules

What this PR does / why we need it:

• What this PR does
  • Change default condition of "Contact K8S API Server From Container" rule
• Why we need it
  • To use this rule, Users have to set K8S API's IP address for every cluster now.
    • I want to use dynamic DNS resolution instead of manual IP address setting. By using updated rule, users can use this rule by default.
    • Ref: https://github.com/draios/sysdig/wiki/Domain-Name-Resolution-for-Connections

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

• Pod can access to K8S API using private ip address, so I stopped using "outbound" macro.
• K8S API might have global IP address too. but this rule detects connection to "kubernetes.default.svc.cluster.local" only.
  • "kubernetes.default.svc.cluster.local" is a name to Kubernetes API

  Pods can use the kubernetes.default.svc hostname to query the API server
  

  • Ref: https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/

Procedure and Trigger

1. Start a container
2. Connect K8S API (Trigger)

curl -k https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/

Does this PR introduce a user-facing change?:
NONE

rules(Contact K8S API Server From Container): now it can automatically resolve the cluster IP address 
rule(macro k8s_api_server): new macro to match the default k8s api server

[Kaizhe]

@rung can you post the output here as well with your changes?

[rung]

@Kaizhe
This is output of this rule.
I didn't change output. I changed rule and macro's condition.

Output sample

{"output":"05:35:37.855410748: Notice Unexpected connection to K8s API Server from container (command=curl -k https://10.70.0.1:443/api/ k8s.ns=default k8s.pod=ubuntu-9f765598b-jxwcd container=577c694601c8 image=ubuntu:latest connection=10.4.2.21:59880->10.70.0.1:443) k8s.ns=default k8s.pod=ubuntu-9f765598b-jxwcd container=577c694601c8 k8s.ns=default k8s.pod=ubuntu-9f765598b-jxwcd container=577c694601c8","priority":"Notice","rule":"Contact K8S API Server From Container","time":"2019-12-04T05:35:37.855410748Z", "output_fields": {"container.id":"577c694601c8","container.image.repository":"ubuntu","container.image.tag":"latest","evt.time":1575437737855410748,"fd.name":"10.4.2.21:59880->10.70.0.1:443","k8s.ns.name":"default","k8s.pod.name":"ubuntu-9f765598b-jxwcd","proc.cmdline":"curl -k https://10.70.0.1:443/api/"}}

[Kaizhe]

/lgtm

[poiana]

LGTM label has been added.

Git tree hash: 76c6c5d75e321f2f49c0f64fd9cf5bd6b6578c7f

[leodido]

/milestone 0.19.0

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, Kaizhe

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS [Kaizhe,fntlnz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fntlnz]

Thanks again @rung ! Good job as always!

[djsly]

Quick question, can we have a documentation on how we should add a list of pods that are allowed to talk to the API Server ?

we are getting > 50k alerts per 6 hours... where most of the communication are normal.