falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

Add k8s.cluster.name as a field

Open c0ldb00t3r opened this issue 2 years ago • 7 comments

Feature Hi, If anyone is sending Falco logs from multiple clusters to a single dashboard like sidekick, it would be impossible to track where the alert came from based on only the namespace and container. I have the same request as @Donald-Sysdig. https://github.com/falcosecurity/falco/issues/423

Although the ticket was closed saying the field k8s namespace was added. But the feature is vastly different.

This will help a lot of teams manage alerts in a single dashboard.

c0ldb00t3r avatar Apr 08 '23 18:04 c0ldb00t3r

Same issue applies to me. We have 3 different eks clusters sending falco logs to same slack channel and it's a pain to get from which eks cluster the falco alerts are coming from.. Hopefully, this issue is given much attention.

lumszy avatar Jun 19 '23 22:06 lumszy

cc @alacuku for visibility.

jasondellaluce avatar Jun 20 '23 12:06 jasondellaluce

Hey! Same issue to me, because we have a lot of different eks clusters. Our solution for now is plenty slack channels, but I really hope for cluster name in output. It would be really handy. So waiting for it as well. @leodido

thelubomir avatar Jun 27 '23 10:06 thelubomir

Hi, you can install one falcosidekick per cluster and use its feature which allows to add fields in the output and then forward the event to the same falcosidekick-ui or slack channel. Since the last version of falcosidekick, you can also use an env var as value to add

Issif avatar Jun 27 '23 10:06 Issif

@Issif Could you please provide link for documentation about it? I checked the doc on official site and didn't find a field about k8s cluster that could be added.

thelubomir avatar Jun 27 '23 11:06 thelubomir

The docs of falcosidekick is directly in the README.

customfields: # custom fields are added to falco events, if the value starts with % the relative env var is used
  # Akey: "AValue"
  # Bkey: "BValue"
  # Ckey: "CValue"

If you use the falco helm chart, you need to set something like that for the values:

falcosidekick:
  config:
    customfields: "k8s.cluster.name=<my_cluster>"

Issif avatar Jun 27 '23 11:06 Issif

Question: Does spec.NodeName reflect a notation where the cluster name is part of the node name definition? It often does. If yes could you parse it out from the hostname?

If not since this is a constant we could do a similar env variable trick, check out https://github.com/falcosecurity/falco/issues/2506 and expose a new output field that way, e.g. maybe something more generic evt.cluster or similar.

incertum avatar Jul 05 '23 22:07 incertum