Правила аудита Falco не показывают никаких предупреждений
Я пытаюсь включить правила аудита Falco. [https://sysdig.com/blog/kubernetes-audit-log-falco/ visible[1] Я слежу за этим блогом, чтобы включить правила аудита k8s в falco.
Я использую minikube v1.22.0 Kubernetes v1.21.2. Как упоминалось в блоге, я создал файл правил аудита и файл конфигурации веб-перехватчика аудита по пути ~ / .minikube / files / etc / ssl / certs.
audit-policy.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods", "deployments"]
- level: RequestResponse
resources:
- group: "rbac.authorization.k8s.io"
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["clusterroles", "clusterrolebindings"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap changes in all other namespaces at the RequestResponse level.
- level: RequestResponse
resources:
- group: "" # core API group
resources: ["configmaps"]
# Log secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
аудит-webhook-config.yaml
apiVersion: v1
kind: Config
clusters:
- name: falco
cluster:
# certificate-authority: /path/to/ca.crt # for https
server: http://127.0.0.1:32765/k8s-audit
contexts:
- context:
cluster: falco
user: ""
name: default-context
current-context: default-context
preferences: {}
users: []
Я запустил свой миникуб с флагами с помощью этого cmd
minikube start --extra-config = apiserver.audit-policy-file = / etc / ssl / certs / audit-policy.yaml --extra-config = apiserver.audit-log-path = - --extra-config = apiserver .audit-webhook-config-file = / etc / ssl / certs / audit-webhook-config.yaml .
Но все же мои k8s-audit-rules (falco) не показывают никаких предупреждений. Я что-нибудь упускаю?