kubernetes-response-engine
kubernetes-response-engine copied to clipboard
falcosecurity-retire
Subscribing to multiple issues when deploying a playbook to GKE fails
Due to the join method being used in the deploy_playbook_gke script, it is not possible to deploy a function with multiple subscriptions.
The current implementation uses commas as delimiters for both the dictionary containing environment variables, and the subscribed_alerts themselves. This results in an incorrect split happening between the multiple subscriptions, which causes the script to crash.
To replicate just use multiple -s tags, ie:
$ ./deploy_playbook_gke -p delete -t falco-alerts -s falco.notice.terminal_shell_in_container -s falco.info.* -k <cluster_name> -z <gcloud_zone> -n <gcloud_project>
To fix this issue I suggest changing the join function to
function join { local d=$1; shift; echo -n "$1"; shift; printf "%s" "${@/#/$d}"; }
And then you can use multiple characters for each delimiter, which will allow you to use two commas to separate env variables, and one comma to separate subscriptions.
I'll submit a PR with this functionality and link it below.
PR with fix: https://github.com/falcosecurity/kubernetes-response-engine/pull/5
I fix this adding ^:^ and : in the --set-env-vars in the gcloud functions command. --set-env-vars=^:^"$(join : ${environment[@]})"
I hope it helps
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale