Falco:在使用k8saudit插件部署falco后无法进入数据源K8s审核

Question

我的测试环境: kubernetes: 1.20.15 falco: 0.32.1 falco头盔图: falco-2.0.17

我的部署过程。

1. 用头盔部署falco，用k8saudit插件部署

$helm repo add falcosecurity https://falcosecurity.github.io/charts
$helm install falco falcosecurity/falco --namespace falco -f ./falco-values-k8saudit.yaml \
  --set falco.grpc.enabled=true \
  --set falco.grpc_output.enabled=true \
  --set falcosidekick.enabled=true \
  --set falcosidekick.webui.enabled=true \
  --set falcosidekick.webui.redis.storageClass="rbd" \
  --set falcosidekick.webui.redis.storageSize="5Gi"

falco-value-k8saudit.yaml is identical to: https://github.com/falcosecurity/charts/blob/master/falco/values-k8saudit.yaml

$ kubectl get all -n falco
NAME                                          READY   STATUS    RESTARTS   AGE
pod/falco-774d78d77-bccdt                     1/1     Running   0          20m
pod/falco-falcosidekick-9957d4fcd-td4b4       1/1     Running   0          20m
pod/falco-falcosidekick-9957d4fcd-v5wxq       1/1     Running   0          20m
pod/falco-falcosidekick-ui-7d6b97856d-jjdcw   1/1     Running   2          20m
pod/falco-falcosidekick-ui-7d6b97856d-s5xj6   1/1     Running   1          20m
pod/falco-falcosidekick-ui-redis-0            1/1     Running   0          20m

NAME                                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/falco-falcosidekick            ClusterIP   10.104.198.200   <none>        2801/TCP         20m
service/falco-falcosidekick-ui         ClusterIP   10.109.144.99    <none>        2802/TCP         20m
service/falco-falcosidekick-ui-redis   ClusterIP   10.97.32.201     <none>        6379/TCP         20m
service/falco-k8saudit-webhook         NodePort    10.103.65.15     <none>        9765:30007/TCP   20m

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/falco                    1/1     1            1           20m
deployment.apps/falco-falcosidekick      2/2     2            2           20m
deployment.apps/falco-falcosidekick-ui   2/2     2            2           20m

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/falco-774d78d77                     1         1         1       20m
replicaset.apps/falco-falcosidekick-9957d4fcd       2         2         2       20m
replicaset.apps/falco-falcosidekick-ui-7d6b97856d   2         2         2       20m

NAME                                            READY   AGE
statefulset.apps/falco-falcosidekick-ui-redis   1/1     20m

1. 创建web钩子配置，请参阅config/web钩子-config.yaml.in

$cat falco-webhook-config.yaml
---
apiVersion: v1
kind: Config
clusters:
- name: falco
  cluster:
    server: http://10.103.65.15:8765/k8s-audit
contexts:
- context:
    cluster: falco
    user: ""
  name: default-context
current-context: default-context
preferences: {}
users: []

1. 启用审计日志并在kube-apiserver.yaml中设置web钩子配置文件

kubectl logs falco-774d78d77-bccdt -n falco
Wed Aug 10 05:47:20 2022: Falco version 0.32.1
Wed Aug 10 05:47:20 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Aug 10 05:47:20 2022: Loading plugin (k8saudit) from file /usr/share/falco/plugins/libk8saudit.so
Wed Aug 10 05:47:20 2022: Loading plugin (json) from file /usr/share/falco/plugins/libjson.so
Wed Aug 10 05:47:20 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Wed Aug 10 05:47:20 2022: gRPC server threadiness equals to 4
Wed Aug 10 05:47:20 2022: Starting internal webserver, listening on port 8765
Wed Aug 10 05:47:20 2022: Starting gRPC server at unix:///var/run/falco/falco.sock

但我无法在falcosidekick中获得任何数据。

问题：

1. 有人能帮我查一下我漏掉了什么吗？
2. FARCO伴UI支持k8saudit插件吗？

Answer 1

在0.32.0版，Kubernetes审计事件功能变成了一个插件，所以插件不是通过Falco内部web服务器8765接收流量，而是监听不同端口上的事件，您可以在上面显示的Falco-k8saud-web钩子服务中看到9765。

因此，在Falco-web钩子-config.yaml配置中，将端口替换为9765，并重新启动API，您应该开始看到Falco中的K8s事件，因此也应该在F人种的UI中看到。