k8s-audit: Add custom fields to audit events about plugins HOT 6 CLOSED

Sorry for being late. I'm gonna try to summarize all your proposals just to make sure we're in the same page:

• Including some/all HTTP headers of the api server webhooks alongside their body payload inside each event generated by the k8s_audit source
• Extracting the HTTP headers info as Falco rule fields either through the json plugin or with k8saudit-native fields
• Adding custom fields to the output_fields entry of each Falco rule on top of the ones used in the rule's output
• Adding custom "label-like" fields in each Falco rule (generic marker strings that are not strictly Falco fields)

from plugins.

Ah yeah perhaps I should have included a summary of my ramblings.

I think the summary would come down to the following two proposals:

• optionally include the value of HTTP headers as user definable (custom) fields to each event generated by the k8s_audit plugin
• add extra fields to the output_fields entry of each Falco rule on top of the ones used in the rule's output

The second proposal is already requested in falco #2127. Of course it depends on the actual solution chosen for 2127, but I am hoping the first proposal would work nicely together with proposal two.

The focus of this issue is the HTTP headers for the k8s_audit plugin. But the implementation also allows other plugins, like the k8saudit-eks plugin to enhance each event with additional fields. The k8s_audit plugin uses HTTP headers as input, but I can imagine the k8saudit-eks plugin using the aws api to retrieve additional custom fields a user might want to add to each event (the additional fields are not part of the k8s audit event itself as defined by kubernetes, but knowing the audit event source the aws api might be able to supply more context of the event, for example the cluster name, or the aws region/zone the cluster is deployed in).

Trying to express the flow of things:

k8s part:
k8s api server -> kubeconfig with auth -> k8s audit event -> (a compatible audit webhook endpoint)

proxy (up to the user to pick one and configure it, so not a k8s_audit plugin problem to solve):
k8s audit event -> reverse proxy -> add custom headers, for example based on the auth supplied from kubeconfig -> forward headers and k8s audit event -> k8s_audit plugin embedded webserver

k8s_audit plugin:
receive headers + k8s audit event -> transform headers to extra fields -> parse k8s audit event, just as it works now -> merge extra fields and parsed fields -> output 'falco event' (SDK PushEvent object) for rule evaluation

falco engine:
PushEvent from plugin sdk/framework -> evaluate rules -> create falco alerts/events -> enhance output_fields of alert/event with extra variables (second proposal) -> emit alert/event

from plugins.

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

from plugins.

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

from plugins.

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

from plugins.

@poiana: Closing this issue.

from plugins.