From b66c3a2d45faa6beb4a237d2c9484fbd5e61d581 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Tue, 13 Oct 2020 19:32:13 +0200 Subject: [PATCH] Add known k8s api callers to vagrant values.yaml and bump falco chart to 1.5.0 --- deploy/helm/sumologic/requirements.yaml | 2 +- vagrant/values.yaml | 28 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/deploy/helm/sumologic/requirements.yaml b/deploy/helm/sumologic/requirements.yaml index 1589913096..8a4e7d3beb 100644 --- a/deploy/helm/sumologic/requirements.yaml +++ b/deploy/helm/sumologic/requirements.yaml @@ -9,7 +9,7 @@ dependencies: alias: prometheus-operator condition: prometheus-operator.enabled,sumologic.metrics.enabled - name: falco - version: 1.4.0 + version: 1.5.0 repository: https://falcosecurity.github.io/charts condition: falco.enabled - name: metrics-server diff --git a/vagrant/values.yaml b/vagrant/values.yaml index 3eb1ffa1f2..4140fc6231 100644 --- a/vagrant/values.yaml +++ b/vagrant/values.yaml @@ -29,3 +29,31 @@ sumologic: telegraf-operator: enabled: true replicaCount: 1 + +falco: + enabled: true + customRules: + # Mark the following as known k8s api callers: + # * fluentd and its plugins + # * grafana sidecar + # * terraform provider started in setup job + # * telegraf operator + # * kube state metrics server + # * prometheus + # * prometheus operator + rules_user_known_k8s_api_callers.yaml: |- + - macro: user_known_contact_k8s_api_server_activities + condition: > + (proc.pcmdline = "fluentd /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or + (proc.cmdline = "fluentd /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or + (proc.cmdline = "ruby -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or + (proc.cmdline = "event_loop -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or + (proc.cmdline = "watch_endpoints -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or + (proc.cmdline = "watch_events -Eascii-8bit:ascii-8bit /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins --under-supervisor") or + (proc.cmdline = "filter_kuberne* /usr/local/bundle/bin/fluentd -c /fluentd/etc/fluent.conf -p /fluentd/plugins") or + (proc.cmdline = "python -u /app/sidecar.py") or + (proc.cmdline startswith "terraform-provi") or + (proc.cmdline startswith "manager --telegraf-default-class=sumologic-prometheus --telegraf-classes-directory=/etc/telegraf-operator --enable-default-internal-plugin --telegraf-image=docker.io/library/telegraf") or + (proc.cmdline startswith "kube-state-metr") or + (proc.cmdline startswith "prometheus") or + (proc.cmdline startswith "operator")