feat(plugins/k8saudit/rules) add detection for portforwarding #375
Conversation
|
Welcome @RichardoC! It looks like this is your first PR to falcosecurity/plugins 🎉 |
Signed-off-by: Richard Tweed <[email protected]>
RichardoC
force-pushed
the
#230-detect-port-forwards
branch
from
458a2b5 to
46dc979
Compare
Rules files suggestionsk8s_audit_rules.yamlComparing Minor changes:
|
|
Thank you for this, not a big expert here but we will try to take a look ASAP |
|
Hi @RichardoC and thanks for the contribution! |
I could add this, but nothing else in this file is allowlisted by namespace. Wouldn't it be better to have that as a macro for all rules on namespaced objects? Also, did you have any luck testing these with a real cluster? |
|
That's right, let's keep the namespace allow list for a second PR in case. |
|
Good news, after some faffing about got this working on minikube 
|
|
@loresuso Need anything on this? |
|
Great news, thanks for trying it out! |
There was a problem hiding this comment.
LGTM.
A little disclaimer: I think it's okay to merge this. However, note that the new k8s ruleset will not released soon. We will likely release all new plugin versions near the next Falco release. We can open a follow-up PR if we need to introduce any minor change to this new rule before releasing it (like enforcing the Rules Maturity Framework policies).
cc @falcosecurity/rules-maintainers @falcosecurity/plugins-maintainers
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, RichardoC The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: c2015d0f0d40d13a871c23a97bb4896c3ef5a66b
|
|
@leogr are you planning to move these rules out to the rules repo? |
No, we don't have any plans for that yet. We have just to understand if and how the Rules Maturity Framework applies to plugin rulesets. Eventually, it will have a minor impact on plugin rules (ie. probably we will just add maturity tags). |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
Currently there aren't any detections for port forwarding, which isn't great. Port forwarding can be used to avoid controls such as service meshes, and can be used for data exfiltration. There's rarely a good reason for anyone to be using these regularly so it should have a detection, just like exec already does.
For anyone wondering, you can only port forward a pod. When you kubectl port forward svc/myservice it actually checks the selectors for the service and port mapping, and port forwards one of the pods which matches those selectors, on the required port after mapping through the service. This is why I'm only reporting the pod that is port forwarded, there's no way to know if the user was trying to port forward a pod, or service unless we correlated back to whether this user had done a service lookup and then a pod list before issuing this API call.
Which issue(s) this PR fixes:
Fixes #230
Special notes for your reviewer:
This hasn't been tested locally, it's based on the Kubernetes API spec so should be tested before merging