Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow json arrays k8s audit #967

Merged
merged 2 commits into from
Dec 17, 2019
Merged

Allow json arrays k8s audit #967

merged 2 commits into from
Dec 17, 2019

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Dec 10, 2019
edited by leodido
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind flaky-test

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area examples

/area rules

/area integrations

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update: also allow POSTing JSON arrays containing k8s audit events to the k8s_audit endpoint.

@poiana poiana requested review from fntlnz and Kaizhe December 10, 2019 05:16
@mstemm mstemm requested a review from leodido December 10, 2019 05:17
mstemm added 2 commits December 9, 2019 21:17
@mstemm
Also allow json arrays of k8s audit evts
cda21d6 
Currently, the json object POSTed to the /k8s_audit endpoint is assumed
to be an obect, with a "type" of either "Event" or "EventList". When the
K8s API Server POSTs events, it aggregates them into an EventList,
ensuring that there is always a single object.

However, we're going to add some intermediate tools that tail log files
and send them to the endpoint, and the easiest way to send a batch of
events is to pass them as a json array instead of a single object.

To properly handle this, modify parse_k8s_audit_event_json to also
handle a json array. For arrays, it iterates over the objects, calling
parse_k8s_audit_json recursively. This only iterates an initial top
level array to avoid excessive recursion/attacks involving degenerate
json objects with excessively nested arrays.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm
Don't rethrow exceptions in parse_k8s_audit_json
9c89484 
Callers aren't expected to catch execeptions and instead rely on the
bool return value to indicate whether or not the parsing was successful.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm mstemm force-pushed the allow-json-arrays-k8s-audit branch from fe4c281 to 9c89484 Compare December 10, 2019 05:18
@mstemm
Copy link
Contributor Author

mstemm commented Dec 10, 2019

@leodido note that the second commit undoes a change you originally made in 723bc1c. I think we don't want callers to have to catch exceptions and can instead rely on the bool return value. Let me know what you think.

mstemm added a commit to draios/sysdig-cloud-scripts that referenced this pull request Dec 10, 2019
@mstemm
WIP on audit log forwarder, using fluent-bit
d69f3e5 
It turns out that openshift 4 does automatically make audit logs
available on the master node as a file by default, but it doesn't enable
dynamic audit sinks. Rather than change the api server config, which is
risky, instead deploy a helper daemonset that can read the api server
logs and send the contents to the agent's audit webhook.

We can probably used this for other k8s distributions as well.

This relies on a pending falco change
falcosecurity/falco#967.
mstemm added a commit to draios/sysdig-cloud-scripts that referenced this pull request Dec 10, 2019
@mstemm
Openshift 4.2 instructions
0e62546 
Openshift 4.2 is actually pretty easy, although you have to deploy a
helper log forwarder that runs on the api server, reads the existing
audit log, and forwards to the agent. Requires agent 0.95.0 or some
agent that has falcosecurity/falco#967.
@Kaizhe
Copy link
Contributor

Kaizhe commented Dec 11, 2019

/lgtm

@poiana poiana added the lgtm label Dec 11, 2019
@poiana
Copy link
Contributor

poiana commented Dec 11, 2019

LGTM label has been added.

Git tree hash: d9e88f77d5afec548301db11ae9ed48601c6a70e

leodido
leodido approved these changes Dec 13, 2019
View reviewed changes
Copy link
Member

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@poiana
Copy link
Contributor

poiana commented Dec 13, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, Kaizhe, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mstemm mstemm merged commit c53df3a into dev Dec 17, 2019
@poiana poiana deleted the allow-json-arrays-k8s-audit branch December 17, 2019 01:00
@fntlnz fntlnz added this to the 0.19.0 milestone Jan 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fntlnz fntlnz fntlnz approved these changes

@Kaizhe Kaizhe Kaizhe approved these changes

@leodido leodido leodido approved these changes

Assignees

@leodido leodido

@Kaizhe Kaizhe

@fntlnz fntlnz

Labels
approved area/engine dco-signoff: yes kind/bug kind/feature lgtm release-note size/S
Projects
None yet
Milestone
0.19.0
Development

Successfully merging this pull request may close these issues.
5 participants
@mstemm @Kaizhe @poiana @leodido @fntlnz