plugins
plugins copied to clipboard
falcosecurity
[json plugin error] json.value[...] doesn't accept json pointer
Describe the bug
When loading rules, falco finds the rules file as invalid with the following error:
LOAD_ERR_COMPILE_OUTPUT (Error compiling output):
....
has an invalid index argument not composed only by digits: /user/extraauthentication.kubernetes.io/pod-name
How to reproduce it
Install the helm chart of falco with this config file:
falcoctl:
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
install:
resolveDeps: false
refs: [falco-rules:0, k8saudit-rules:0.5]
follow:
refs: [falco-rules:0, k8saudit-rules:0.5]
falco:
plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
""
open_params: "http://:9765/k8s-audit"
- name: json
library_path: libjson.so
init_config: ""
open_params: ""
load_plugins: [k8saudit, json]
And with this rule in k8s_audit_rules.local.yaml:
- list: getVerbs
items: [list, get]
- rule: getFromPod
desc: A pod tried to access resorces in the cluster
condition: ka.verb in (getVerbs) and ka.user.name != admin
output: "%json.value[/user/extra/authentication.kubernetes.io/pod-name]"
priority: info
source: k8s_audit
and feeding falco with this json:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "4d80af72-c845-42c3-9159-97a97925fcac",
"stage": "ResponseComplete",
"requestURI": "/api/v1/namespaces/default/pods?limit=500",
"verb": "list",
"user": {
"username": "system:serviceaccount:default:default",
"uid": "ff7eb48d-d26c-4b11-9f18-e2b5e9be50ee",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:default",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"ubuntu-ubuntu"
],
"authentication.kubernetes.io/pod-uid": [
"7d49c124-be01-4f95-827e-de1125f05dc9"
]
}
},
"sourceIPs": [
"10.1.134.102"
],
"userAgent": "kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799",
"objectRef": {
"resource": "pods",
"namespace": "default",
"apiVersion": "v1"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2023-08-02T08:12:31.920374Z",
"stageTimestamp": "2023-08-02T08:12:31.925808Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": ""
}
}
Expected behaviour
Return in output: ubuntu-ubuntu
Environment
- Falco version:
0.35.1 - System info:
Wed Aug 2 12:53:30 2023: Falco version: 0.35.1 (x86_64)
Wed Aug 2 12:53:30 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed Aug 2 12:53:30 2023: Loading plugin 'k8saudit' from file /usr/share/falco/plugins/libk8saudit.so
Wed Aug 2 12:53:30 2023: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Wed Aug 2 12:53:30 2023: Loading rules from file /etc/falco/falco_rules.yaml
Wed Aug 2 12:53:31 2023: Loading rules from file /etc/falco/local/falco_rules.local.yaml
Wed Aug 2 12:53:31 2023: Loading rules from file /etc/falco/k8s_audit_rules.yaml
{
"machine": "x86_64",
"nodename": "falco-vqvkp",
"release": "5.15.0-76-generic",
"sysname": "Linux",
"version": "#83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023"
}
this output is missing k8s_audit_rules.local.yaml because I had to remove it to access the machine
- OS:
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
- Kernel:
Linux falco-vqvkp 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 GNU/Linux - Installation method: helm chart
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@Andreagit97: Reopened this issue.
In response to this:
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Sounds like a valid issue! I'm not sure it ever worked...we will take a look, thank you for reporting!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@Andreagit97: Reopened this issue.
In response to this:
/remove-lifecycle rotten
/reopen
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten