Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(rules): Rule exceptions for ibm cloud #1337

Merged
merged 2 commits into from
Feb 19, 2021
Merged

chore(rules): Rule exceptions for ibm cloud #1337

merged 2 commits into from
Feb 19, 2021

Conversation

nibalizer
Copy link
Contributor

@nibalizer nibalizer commented Jul 31, 2020
edited
Loading

Signed-off-by: Spencer Krum [email protected]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Rule exceptions for ibm cloud

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(list falco_sensitive_mount_containers): added image exceptions for IBM cloud

@poiana poiana requested review from Kaizhe and mfdii July 31, 2020 19:34
@poiana poiana added the size/XS label Jul 31, 2020
@nibalizer nibalizer force-pushed the ibmcloud_rules branch 3 times, most recently from cd7e44a to 3cc7960 Compare July 31, 2020 20:33
Kaizhe
Kaizhe reviewed Jul 31, 2020
View reviewed changes
rules/falco_rules.yaml Outdated Show resolved Hide resolved
Kaizhe
Kaizhe suggested changes Aug 5, 2020
View reviewed changes
rules/falco_rules.yaml Outdated Show resolved Hide resolved
@leogr leogr added this to the 0.26.0 milestone Aug 25, 2020
@leogr
Copy link
Member

leogr commented Sep 7, 2020

Hey @nibalizer

it seems that some integration tests are not passing, also this PR needs to be rebased on top of the current master branch.
Could you take a look pls?

Thanks in advance

@krisnova krisnova modified the milestones: 0.26.0, 0.27.0 Sep 24, 2020
@nibalizer
Copy link
Contributor Author

Yes I can do that.

Also check this PR number.

leogr
leogr requested changes Oct 8, 2020
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integrations test still report the following error:

Wed Oct  7 20:59:41 2020: Runtime error: Compilation error when compiling "(container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
 gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
 docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
 sysdig/falco, sysdig/sysdig, falcosecurity/falco)
 or (container.image.repository in icr.io/ext/sysdig/agent, registry.ng.bluemix.net/armada-master/olm, registry.ng.bluemix.net/armada-master/metrics-server-amd64)
 or (k8s.ns.name = "kube-system"))
": 278: syntax error, unexpected 'icr', expecting '('
---
- macro: k8s_containers
  condition: >
    (container.image.repository in (gcr.io/google_containers/hyperkube-amd64,
     gcr.io/google_containers/kube2sky, docker.io/sysdig/falco,
     docker.io/sysdig/sysdig, docker.io/falcosecurity/falco,
     sysdig/falco, sysdig/sysdig, falcosecurity/falco)
     or (container.image.repository in ibm_cloud_containers)
     or (k8s.ns.name = "kube-system"))
---. Exiting.

rules/falco_rules.yaml Outdated Show resolved Hide resolved
@fntlnz fntlnz added this to the 0.28.0 milestone Jan 15, 2021
@leogr
Copy link
Member

leogr commented Feb 18, 2021

Update: I have rebased this PR to let the new CI job run. I will re-approve soon.

leogr
leogr previously approved these changes Feb 18, 2021
View reviewed changes
@poiana poiana added the lgtm label Feb 18, 2021
@poiana
Copy link
Contributor

poiana commented Feb 18, 2021

LGTM label has been added.

Git tree hash: 90a13f51c7da7b00c7905d6b001fb34f29f7f2e8

fntlnz
fntlnz previously approved these changes Feb 19, 2021
View reviewed changes
@Kaizhe
Copy link
Contributor

Kaizhe commented Feb 19, 2021

Just add my observation here, in PR 1337 we have the list

# Containers from IBM Cloud
- list: ibm_cloud_containers
  items:
    - icr.io/ext/sysdig/agent
    - registry.ng.bluemix.net/armada-master/metrics-server-amd64
    - registry.ng.bluemix.net/armada-master/olm

a commercial image(sysdig/agent) from cloud vendor. We haven't decided whether we should allow commercial images in the exception. Just approve for now, probably will change the list when a decision is made.

Kaizhe
Kaizhe previously approved these changes Feb 19, 2021
View reviewed changes
@nibalizer @leogr
chore(rules): Rule exceptions for ibm cloud
d86b2c0 
Whitelist ibm images for connecting to k8s api server

IBM Observability by Sysdig has a vendored sysdig/agent image.

IBM's Kubernetes Service ships with an operator manager. Example:

19:12:45.090908160: Notice Unexpected connection to K8s API Server from
container (command=catalog -namespace ibm-system
-configmapServerImage=registry.ng.bluemix.net/armada-master/configmap-operator-registry:v1.6.1
k8s.ns=ibm-system k8s.pod=catalog-operator-6495d76869-ncl2z
container=4ad7a04fa1e0
image=registry.ng.bluemix.net/armada-master/olm:0.14.1-IKS-1
connection=172.30.108.219:48200->172.21.0.1:443) k8s.ns=ibm-system
k8s.pod=catalog-operator-6495d76869-ncl2z container=4ad7a04fa1e0

IBM's Kubernetes service also ships with a metrics collecting agent

Signed-off-by: Spencer Krum <[email protected]>
@leogr leogr dismissed stale reviews from Kaizhe, fntlnz, and themself via e69c38e February 19, 2021 09:22
@poiana poiana added the lgtm label Feb 19, 2021
@poiana
Copy link
Contributor

poiana commented Feb 19, 2021

LGTM label has been added.

Git tree hash: 2ae4f3c9e8637421a94cd1b54019430b15b00758

@poiana
Copy link
Contributor

poiana commented Feb 19, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leodido, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit b3693a0 into falcosecurity:master Feb 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@leodido leodido leodido approved these changes

@fntlnz fntlnz fntlnz left review comments

@Kaizhe Kaizhe Kaizhe left review comments

@mfdii mfdii Awaiting requested review from mfdii

Assignees

@leodido leodido

@Kaizhe Kaizhe

@fntlnz fntlnz

@leogr leogr

Labels
approved area/rules dco-signoff: yes kind/rule-update lgtm release-note size/S
Projects
None yet
Milestone
0.28.0
Development

Successfully merging this pull request may close these issues.
7 participants
@nibalizer @leogr @fntlnz @poiana @Kaizhe @leodido @krisnova