plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

k8saudit-aks Plugin Connection Timeout Without Pod Restart

Open Caroline132 opened this issue 7 months ago • 0 comments

Describe the bug

I'm using the k8saudit-aks plugin with Falco in an AKS environment, and I encountered an issue where the plugin stops processing events after a connection timeout but does not trigger a restart or recovery attempt.

  • The plugin initially connects successfully to the necessary services, as shown in the logs:

Image

  • However, after running for some time, I see the following error in the logs:

Image

  • The Falco pod does not restart despite the connection timeout, and the plugin seems to be stuck in this state.

After investigating, I realized that the issue was likely caused by a missing network policy that prevented the plugin from reaching Event Hub. However, even in this case, I would expect Falco to handle such failures more gracefully rather than silently failing while the pod remains running.

How to reproduce it

  1. Deploy Falco using the official Falco Helm chart with the k8saudit-aks plugin enabled.
  2. Apply a restrictive network policy that prevents access to Event Hub.
  3. Observe successful connections in the logs at startup.
  4. Wait until the timeout occurs.
  5. Notice that the pod does not restart and stops processing new events.

Expected behaviour

  • If the connection times out, I would expect Falco to either:
    • Attempt to reconnect after a failure.
    • Exit with an error so that Kubernetes can restart the pod.
  • Instead, Falco remains running, but the plugin stops processing new events without any recovery.

Screenshots

Environment

  • Falco version:
{"default_driver_version":"8.0.0+driver","driver_api_version":"8.0.0","driver_schema_version":"3.5.0","engine_version":"46","engine_version_semver":"0.46.0","falco_version":"0.40.0","libs_version":"0.20.0","plugin_api_version":"3.10.0"}
  • System info:
{
  "machine": "x86_64",
  "nodename": "falco-audit-7986bf7456-bjzvp",
  "release": "5.15.173.1-1.cm2",
  "sysname": "Linux",
  "version": "#1 SMP Sun Dec 8 02:17:37 UTC 2024"
}
  • Cloud provider or hardware configuration: Azure
  • OS:
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
  • Kernel:
Linux falco-audit-7986bf7456-bjzvp 5.15.173.1-1.cm2 #1 SMP Sun Dec 8 02:17:37 UTC 2024 x86_64 GNU/Linux
  • Installation method: Kubernetes

Additional context

Caroline132 avatar Mar 12 '25 16:03 Caroline132