This program is a Go version of the following program: https://github.com/sysdiglabs/aks-audit-log. The purpose of aks-audit-log-go is to receive Kubernetes audit logs and forward them to Falco runtime security tool that can do detections based on runtime security rules for Kubernetes API calls (using the k8s-audit plugin).
There are four packages: main, httpclient, forwarder and eventhub.
This package does two things: (1) it sets the configurations using the environment variables and (2) starts a server to maintain statistics.
This package is responsible for receiving the events from the event log and unmarshalling the event for it to be sent into a post request.
This package ensures that POST request to the Falco pod (with k8s-audit plugin) is properly sent.
This package sends the http POST request to the Falco pod (with k8s-audit plugin) pod.
There is a .envrc.example
file that contains the environment variables to be configured. You can save a copy as .envrc
and then source it using source .envrc
to load the environment variables into your shell session.
Note: POSTMAXRETRIES
, POSTRETRYINCREMENTALDELAY
, LOGLEVEL
and KEEPALIVE
are optional variables. They will default to 5 for POSTMAXRETRIES
, 1000 for POSTRETRYINCREMENTALDELAY
, "info" for LOGLEVEL
and false for KEEPALIVE
.
The EHUBNAMESPACECONNECTIONSTRING
environment variable sets the EventHub connection string.
The EVENTHUBNAME
environment variable sets the EventHub name.
The BLOBSTORAGECONNECTIONSTRING
environment variable sets the Blob storage connection string.
The BLOBCONTAINERNAME
environment variable sets the Blob container name.
The WEBSINKURL
environment variable sets the webhook URL for the Falco pod (with k8s-audit plugin) pod. For example, http://localhost:8765/k8s-audit
.
The POSTMAXRETRIES
environment variable sets the maximum number of retries for the POST request to the Falco pod (with k8s-audit plugin) pod.
The POSTRETRYINCREMENTALDELAY
environment variable sets the incremental delay between retries for the POST request to the Falco pod (with k8s-audit plugin) pod.
The RATELIMITEREVENTSPERSECONDS
environment variable sets the rate limiter for the number of events per second.
The RATELIMITERBURST
environment variable sets the rate limiter for the burst.
The LOGLEVEL
environment variable sets what is sent to its log. The following log levels are allowed (from highest to lowest): panic
, fatal
, error
, warn
, info
, debug
and trace
.
The KEEPALIVE
environment variable sets whether the connection to the webhook URL should be kept alive or not.
Open a terminal and move to the directory for this application.
-
Build the code:
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s" -a -installsuffix cgo .
-
Run the binary (after building you will have an executable binary file in the current directory):
./aks-audit-log-go