plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Add a plugin for Azure AKS k8_audit

Open nissessenap opened this issue 3 years ago • 25 comments

Motivation

Just like in AWS I want to be able to monitor my k8s audit logs in Azure.

Feature

A implementation of reading k8s_aduit logs in AKS through Log Analytics Workspace.

Alternatives

AKS also supports sending logs directly to a storage account and a event hub

But to make the initial offering as similar to AWS I think starting with Log Analytics Workspace is a good idea.

Additional context

How to manage the Azure Diagnostic resources through terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting

nissessenap avatar Jun 15 '22 13:06 nissessenap

I have started working on this feature.

nissessenap avatar Jun 15 '22 13:06 nissessenap

While developing the current k8saudit plugin, I tried to design it so that it could be easy to develop integrations like this to fetch audit logs from managed k8s platforms. I'm excited to see the first one coming! 😄

Note that the whole k8saudit plugin is an importable Go struct. In your case, you probably just need to re-implement the open method and reuse all the extraction-related code: https://github.com/falcosecurity/plugins/blob/52e46f7e876381f1cf666c505d386cdaa48ab2cb/plugins/k8saudit/pkg/k8saudit/source.go#L56

Let me know if you'd some help or to work together in this!

jasondellaluce avatar Jun 15 '22 13:06 jasondellaluce

@NissesSenap any news? There's a WIP EKS porting that you could use as inspiration https://github.com/falcosecurity/plugins/pull/134. It took few lines of code to adapt the k8saudit plugin to the new integration.

jasondellaluce avatar Aug 25 '22 10:08 jasondellaluce

@jasondellaluce sadly I haven't had time to look in to this. My guess I can take a look in a month or something similar, if any one else have time please go for it.

nissessenap avatar Aug 27 '22 11:08 nissessenap

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Nov 25 '22 21:11 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Dec 25 '22 21:12 poiana

/remove-lifecycle rotten

jasondellaluce avatar Jan 04 '23 10:01 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Apr 04 '23 13:04 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar May 04 '23 13:05 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Jun 03 '23 13:06 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jun 03 '23 13:06 poiana

/remove-lifecycle rotten

/reopen

jasondellaluce avatar Jun 05 '23 07:06 jasondellaluce

@jasondellaluce: Reopened this issue.

In response to this:

/remove-lifecycle rotten

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jun 05 '23 07:06 poiana

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 03 '23 13:09 poiana

/remove-lifecycle stale

jasondellaluce avatar Sep 04 '23 09:09 jasondellaluce

interesting feature

andreyolv avatar Sep 28 '23 17:09 andreyolv

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Dec 27 '23 21:12 poiana

/remove-lifecycle stale

Andreagit97 avatar Jan 03 '24 13:01 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Apr 02 '24 15:04 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar May 02 '24 15:05 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Jun 01 '24 15:06 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jun 01 '24 15:06 poiana

/remove-lifecycle rotten

/reopen

Andreagit97 avatar Jun 03 '24 08:06 Andreagit97

@Andreagit97: Reopened this issue.

In response to this:

/remove-lifecycle rotten

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

poiana avatar Jun 03 '24 08:06 poiana

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 01 '24 10:09 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Oct 01 '24 10:10 poiana