falcosecurity
libk8saudit.so: can't load plugin dynamic library
Describe the bug
When attempting to enable libk8saudit in Falco, the following error occurs:
Runtime error: cannot load plugin /usr/share/falco/plugins/libk8saudit.so: can't load plugin dynamic library: /usr/share/falco/plugins/libk8saudit.so: cannot open shared object file: No such file or directory. Exiting.
The documentation lacks clarity.
How to reproduce it
The cluster is set up using Kubeadm and it uses version 1.29.5.
cat > falco-syscall-k8saudit.yaml<<EOF
driver:
enabled: true
kind: ebpf
collectors:
enabled: true
controller:
kind: daemonset
services:
- name: k8saudit-webhook
type: NodePort
ports:
- port: 9765
nodePort: 30007
protocol: TCP
falcoctl:
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
allowedTypes:
- rulesfile
- plugin
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
follow:
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
falco:
load_plugins: [k8saudit, json]
jsonOutput: true
plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
open_params: "http://:9765/k8s-audit"
- name: json
library_path: libjson.so
init_config: ""
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d
tty: true
EOF
helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco --values=falco-syscall-k8saudit.yaml falcosecurity/falco --version 4.2.2
Expected behaviour
Successfully integrated Kubernetes Audit Logs with Falco.
Screenshots
Environment
- Falco version: 4.2.2
- System info: -
- Cloud provider or hardware configuration:
- OS: Ubuntu
- Kernel: 6.5.0-1020-aws
- Installation method: Helm
Additional context
Hi @myugan,
The behavior you're facing is totally legit and logic.
In the Falco images, neither the rules neither the plugins are present. When you deploy Falco with the Helm chart, a sidecar running Falcoctl is deployed and in charge to do the installation for you. The behavior of Falcoctl is controlled by this block in the values.yaml:
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
allowedTypes:
- rulesfile
- plugin
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
follow:
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
In your configuration, you install only the falco-rules, the k8saudit-rules and the json plugin:
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
Either you specify to install also the k8saudit plugin like this:
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0, k8saudit:0, json:0]
Either you enable the resolution of the dependencies, and the right plugin will be installed automatically following the rules:
resolveDeps: true
[!NOTE] I updated the version of the plugins/rules in my proposals to reflect to specify to use the last tagged versions we propose
Thank you @Issif. I thought it would be installed automatically, but it seems I missed defining it, which is why it wasn't working. Now it's working fine, thanks!
@FedeDP: Closing this issue.
In response to this:
/milestone 0.39.0 /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
