compliantkubernetes-apps
compliantkubernetes-apps copied to clipboard
elastisys
falco - nginx-ingress alert
Describe the bug Falco is generating the below ingress-nginx alerts on a test cluster setup:
{"output":"19:08:45.554856659: Notice Disallowed inbound connection source (command=nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true connection=172.16.0.45:45370->10.243.152.88:10254 user=<NA> user_loginuid=-1 container_id=5cece image=sha256) k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-sxqtf container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller container=5cece","priority":"Notice","rule":"Unexpected inbound connection source","source":"syscall","tags":["network"],"time":"2022-08-06T19:08:45.554856659Z", "output_fields": {"container.id":"5cece","container.image.repository":"sha256","evt.time":1659812925554856659,"fd.name":"172.16.0.45:45370->10.243.152.88:10254","k8s.ns.name":"ingress-nginx","k8s.pod.name":"ingress-nginx-controller","proc.cmdline":"nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true","user.loginuid":-1,"user.name":null}}
{"output":"08:24:25.803340418: Notice Unexpected connection to K8s API Server from container (command=nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 image=sha256:75bdf connection=10.244.66.56:36870->10.244.0.4:443) k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99 k8s.ns=ingress-nginx k8s.pod=ingress-nginx-controller-tf84f container=66cad4d99","priority":"Notice","rule":"Contact K8S API Server From Container","source":"syscall","tags":["container","k8s","mitre_discovery","network"],"time":"2022-08-11T08:24:25.803340418Z", "output_fields": {"container.id":"66cad4d99","container.image.repository":"sha256","container.image.tag":"75bdf78d9d67","evt.time":166020,"fd.name":"10.244.66.56:36870->10.244.0.4:443","k8s.ns.name":"ingress-nginx","k8s.pod.name":"ingress-nginx-controller-tf84f","proc.cmdline":"nginx-ingress-c --default-backend-service=ingress-nginx/ingress-nginx-default-backend --election-id=ingress-controller-leader --controller-class=k8s.io/ingress-nginx --ingress-class=nginx --configmap=ingress-nginx/ingress-nginx-controller --validating-webhook=:8443 --validating-webhook-certificate=/usr/local/certificates/cert --validating-webhook-key=/usr/local/certificates/key --watch-ingress-without-class=true"}}
Expected behaviour Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.
Definition of Done
- wait until we complete the falco v0.33 upgrade task
- check if the alert is still present (check after 24h or 48h)
- if still there investigate the issue and propose a solution
