plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

eks audit plugin shows events for system users.

Open eric-engberg opened this issue 1 year ago • 13 comments

Describe the bug

the eks audit plugin is emitting events for "disallowed k8s user" for system users. There are rules to exclude system users but they are apparently not being honored.

User is system:node:ip-10-30-63-166.ec2.internal

How to reproduce it

Deploy falco with only the eks k8s plugin enabled using the falco 4.2.4 helm chart.

Expected behaviour

Events done by system users should be ignored.

Screenshots

Environment

  • Falco version: falco-no-driver:0.37.1
  • System info:
{
  "machine": "x86_64",
  "nodename": "falco-audit-7f6dc75785-srq7t",
  "release": "6.1.77",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Fri Feb 23 02:26:25 UTC 2024"
}
  • Cloud provider or hardware configuration: AWS EKS
  • OS: Bottlerocket
  • Kernel:
  • Installation method: Helm

Additional context

eric-engberg avatar Apr 01 '24 21:04 eric-engberg

/assign @leogr

incertum avatar Aug 03 '23 18:08 incertum

The first should be to specify for each plugin, in the registry, the kind of expected deployment (daemonset, 1 replica deployment, multi-replicas deployment). This information could be part of the yaml to list the existing plugins.

Issif avatar Aug 03 '23 19:08 Issif

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 01 '23 21:11 poiana

/remove-lifecycle stale

leogr avatar Nov 08 '23 16:11 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Feb 06 '24 21:02 poiana

/remove-lifecycle stale

cc @LucaGuerra @mikegcoleman

leogr avatar Feb 08 '24 15:02 leogr

btw, it is already documented in the helm chart https://github.com/falcosecurity/charts/tree/master/charts/falco#deploying-falco-in-kubernetes It can be a source of inspiration to do the same in the official documentation.

leogr avatar Mar 26 '24 14:03 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jun 24 '24 15:06 poiana

/remove-lifecycle stale /assign @LucaGuerra

leogr avatar Jun 24 '24 16:06 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 22 '24 22:09 poiana

/remove-lifecycle stale

leogr avatar Sep 23 '24 07:09 leogr