Falcosidekick overwrites cloudevent spec attribute

Question

Falcosidekick overwrites cloudevent spec attribute

Typhlos opened this issue a year ago · 1 comments

Describe the bug

When setting up falcosidekick to transfer falco events to a cloudevents broker such as knative, it throws the following error:

[ERROR] : CloudEvents - extension:source: bad key "source": CloudEvents spec attribute MUST NOT be overwritten by extension

This is due to this line of the cloudevents go-sdk. More precisely, it is due to the fact that falcosidekick uses source as an attribute when it should not according to the cloudevents spec.

How to reproduce it

Install falco with falcosidekick exporting events to a cloudevents broker such as knative. Follow for instance this blog post.

Expected behaviour

Falcosidekick should not use the source attribute.

Environment

Falco version:

{"default_driver_version":"5.0.1+driver","driver_api_version":"4.0.0","driver_schema_version":"2.0.0","engine_version":"17","falco_version":"0.35.1","libs_version":"0.11.3","plugin_api_version":"3.0.0"}

System info:

{
  "machine": "x86_64",
  "nodename": "falco-vvsjz",
  "release": "5.10.0-23-amd64",
  "sysname": "Linux",
  "version": "#1 SMP Debian 5.10.179-2 (2023-07-14)"
}

Cloud provider or hardware configuration:
Bare metal
OS:
Debian GNU/Linux 11 (bullseye)
Kernel:

Linux falco-vvsjz 5.10.0-23-amd64 #1 SMP Debian 5.10.179-2 (2023-07-14) x86_64 GNU/Linux

Installation method:
Kubernetes

Answer 1 · 2023-08-08T08:34:31.000Z

Thank you for the quick fix !