falcosecurity/falcosidekick

PolicyReportResults in wrong PolicyReport

Closed this issue · 0 comments

fjogeleit commented

Describe the bug

When I use the PolicyReport output, it writes results for Falcosidekick Pods (running in falco namespace) in the PolicyReport of the default namespace.

How to reproduce it

  • Create Kind Cluster
  • Install PolicyReport CRDs
  • Install Falco + Falcosidekick with PolicyReport output enabled
  • Create nginx pod in default NS
  • Run kubectl exec -it $(kubectl get pods --selector=app=nginx -o name) -- cat /etc/shadow to trigger a rule
  • Check PolicyReport of default namespace

Example:

apiVersion: wgpolicyk8s.io/v1alpha2
kind: PolicyReport
metadata:
  creationTimestamp: "2024-08-26T07:51:56Z"
  generation: 1
  labels:
    app.kubernetes.io/managed-by: falcosidekick
  name: falco-policy-report
  namespace: default
  resourceVersion: "5183"
  uid: 99e98474-ec50-4553-ae9b-20bc68e58fcb
results:
- category: SI - System and Information Integrity
  message: '07:51:07.286308628: Notice Unexpected connection to K8s API Server from
    container (connection=10.244.0.23:33366->10.96.0.1:443 lport=33366 rport=443 fd_type=ipv4
    fd_proto=fd.l4proto evt_type=connect user=root user_uid=1234 user_loginuid=-1
    process=falcosidekick proc_exepath=/app/falcosidekick parent=containerd-shim command=falcosidekick
    terminal=0 container_id=617acf2d31de container_image=docker.io/falcosecurity/falcosidekick
    container_image_tag=2.29.0 container_name=falcosidekick k8s_ns=falco k8s_pod_name=falco-falcosidekick-cc69f458-v8z2h)'
  policy: syscall
  properties:
    container.id: 617acf2d31de
    container.image.repository: docker.io/falcosecurity/falcosidekick
    container.image.tag: 2.29.0
    container.name: falcosidekick
    evt.time: "1724658667286308628"
    evt.type: connect
    fd.lport: "33366"
    fd.name: 10.244.0.23:33366->10.96.0.1:443
    fd.rport: "443"
    fd.type: ipv4
    k8s.ns.name: falco
    k8s.pod.name: falco-falcosidekick-cc69f458-v8z2h
    proc.cmdline: falcosidekick
    proc.exepath: /app/falcosidekick
    proc.name: falcosidekick
    proc.pname: containerd-shim
    proc.tty: "0"
    user.loginuid: "-1"
    user.name: root
    user.uid: "1234"
  resources:
  - apiVersion: v1
    kind: Pod
    name: falco-falcosidekick-cc69f458-v8z2h
    namespace: falco
  result: skip
  rule: Contact K8S API Server From Container
  severity: low
  source: Falco
  timestamp:
    nanos: 286308628
    seconds: 7
- category: SI - System and Information Integrity
  message: '07:51:07.291119169: Notice Unexpected connection to K8s API Server from
    container (connection=10.244.0.23:33374->10.96.0.1:443 lport=33374 rport=443 fd_type=ipv4
    fd_proto=fd.l4proto evt_type=connect user=<NA> user_uid=1234 user_loginuid=-1
    process=falcosidekick proc_exepath=/app/falcosidekick parent=containerd-shim command=falcosidekick
    terminal=0 container_id=617acf2d31de container_image=docker.io/falcosecurity/falcosidekick
    container_image_tag=2.29.0 container_name=falcosidekick k8s_ns=falco k8s_pod_name=falco-falcosidekick-cc69f458-v8z2h)'
  policy: syscall
  properties:
    container.id: 617acf2d31de
    container.image.repository: docker.io/falcosecurity/falcosidekick
    container.image.tag: 2.29.0
    container.name: falcosidekick
    evt.time: "1724658667291119169"
    evt.type: connect
    fd.lport: "33374"
    fd.name: 10.244.0.23:33374->10.96.0.1:443
    fd.rport: "443"
    fd.type: ipv4
    k8s.ns.name: falco
    k8s.pod.name: falco-falcosidekick-cc69f458-v8z2h
    proc.cmdline: falcosidekick
    proc.exepath: /app/falcosidekick
    proc.name: falcosidekick
    proc.pname: containerd-shim
    proc.tty: "0"
    user.loginuid: "-1"
    user.name: <NA>
    user.uid: "1234"
  resources:
  - apiVersion: v1
    kind: Pod
    name: falco-falcosidekick-cc69f458-v8z2h
    namespace: falco
  result: skip
  rule: Contact K8S API Server From Container
  severity: low
  source: Falco
  timestamp:
    nanos: 291119169
    seconds: 7
- category: SI - System and Information Integrity
  message: '07:51:07.285899253: Notice Unexpected connection to K8s API Server from
    container (connection=10.244.0.23:33350->10.96.0.1:443 lport=33350 rport=443 fd_type=ipv4
    fd_proto=fd.l4proto evt_type=connect user=<NA> user_uid=1234 user_loginuid=-1
    process=falcosidekick proc_exepath=/app/falcosidekick parent=containerd-shim command=falcosidekick
    terminal=0 container_id=617acf2d31de container_image=docker.io/falcosecurity/falcosidekick
    container_image_tag=2.29.0 container_name=falcosidekick k8s_ns=falco k8s_pod_name=falco-falcosidekick-cc69f458-v8z2h)'
  policy: syscall
  properties:
    container.id: 617acf2d31de
    container.image.repository: docker.io/falcosecurity/falcosidekick
    container.image.tag: 2.29.0
    container.name: falcosidekick
    evt.time: "1724658667285899253"
    evt.type: connect
    fd.lport: "33350"
    fd.name: 10.244.0.23:33350->10.96.0.1:443
    fd.rport: "443"
    fd.type: ipv4
    k8s.ns.name: falco
    k8s.pod.name: falco-falcosidekick-cc69f458-v8z2h
    proc.cmdline: falcosidekick
    proc.exepath: /app/falcosidekick
    proc.name: falcosidekick
    proc.pname: containerd-shim
    proc.tty: "0"
    user.loginuid: "-1"
    user.name: <NA>
    user.uid: "1234"
  resources:
  - apiVersion: v1
    kind: Pod
    name: falco-falcosidekick-cc69f458-v8z2h
    namespace: falco
  result: skip
  rule: Contact K8S API Server From Container
  severity: low
  source: Falco
  timestamp:
    nanos: 285899253
    seconds: 7
- category: SI - System and Information Integrity
  message: '07:51:56.731853608: Warning Sensitive file opened for reading by non-trusted
    program (file=/etc/shadow gparent=<NA> ggparent=<NA> gggparent=<NA> evt_type=openat
    user=root user_uid=0 user_loginuid=-1 process=cat proc_exepath=/usr/bin/cat parent=containerd-shim
    command=cat /etc/shadow terminal=34816 container_id=9141b760a0b5 container_image=docker.io/library/nginx
    container_image_tag=latest container_name=nginx k8s_ns=default k8s_pod_name=nginx-bf5d5cf98-7wdpt)'
  policy: syscall
  properties:
    container.id: 9141b760a0b5
    container.image.repository: docker.io/library/nginx
    container.image.tag: latest
    container.name: nginx
    evt.time: "1724658716731853608"
    evt.type: openat
    fd.name: /etc/shadow
    k8s.ns.name: default
    k8s.pod.name: nginx-bf5d5cf98-7wdpt
    proc.aname[2]: <nil>
    proc.aname[3]: <nil>
    proc.aname[4]: <nil>
    proc.cmdline: cat /etc/shadow
    proc.exepath: /usr/bin/cat
    proc.name: cat
    proc.pname: containerd-shim
    proc.tty: "34816"
    user.loginuid: "-1"
    user.name: root
    user.uid: "0"
  resources:
  - apiVersion: v1
    kind: Pod
    name: nginx-bf5d5cf98-7wdpt
    namespace: default
  result: warn
  rule: Read sensitive file untrusted
  severity: medium
  source: Falco
  timestamp:
    nanos: 731853608
    seconds: 56
summary:
  error: 0
  fail: 0
  pass: 0
  skip: 3
  warn: 1

Expected behaviour

Write results in the PolicyReport of the correct namespace (falco in this case)