Стадия жизненного цикла модуля: Experimental
У модуля есть требования для установки
ClusterSecurityEventConfig с Loki (явный список источников)
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventConfig
metadata:
name: default
spec:
defaultSeverityThreshold: High
enabledSources:
- clusterSecurityEventShipper/kube-audit/kube-apiserver
destinations:
- cluster-lokiClusterSecurityEventConfig с масками
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventConfig
metadata:
name: default
spec:
defaultSeverityThreshold: High
enabledSourcesMasks:
- clusterSecurityEventShipper/kube-audit/*
- podSecurityEventShipper/*
destinations:
- cluster-lokiClusterSecurityEventDestination (Loki)
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventDestination
metadata:
name: cluster-loki
spec:
type: Loki
loki:
endpoint: https://loki.d8-monitoring:3100
auth:
strategy: Bearer
token: EXAMPLE
tls:
verifyCertificate: false
verifyHostname: falseSecurityEventDefinition
apiVersion: security.deckhouse.io/v1alpha1
kind: SecurityEventDefinition
metadata:
name: k8s-privilege-escalation
spec:
code: K8S_PRIV_ESC
category: Rbac
severity: High
description: "Попытка создать привилегированный под или повысить права"
source: kube-apiserver
fields:
- name: metadata.extra.privileges
required: truePodSecurityEventShipper (KubernetesPods с inline parser)
apiVersion: security.deckhouse.io/v1alpha1
kind: PodSecurityEventShipper
metadata:
name: my-audit
namespace: my-namespace
spec:
- source: my-audit-app
input:
type: KubernetesPods
kubernetesPods:
labelSelector:
matchLabels:
app: audit
parser:
- name: app
parser:
type: Regex
regex:
patterns:
- '^(?P<level>\w+)\s+(?P<msg>.+)$'
fields:
- name: level
type: String
produces:
- eventCode: K8S_PRIV_ESC
extract:
field: message
operator: Regex
values:
- '.*'
transform:
- key: event.severity
value: levelClusterSecurityEventShipper (File с parserRef)
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventShipper
metadata:
name: kube-audit
spec:
- source: kube-apiserver
input:
type: File
files:
- /var/log/kube-apiserver/audit.log
parserRef: audit-json
produces:
- eventCode: K8S_AUDIT_FAILС ClusterSecurityEventLoggingTransformationRules:
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventLoggingTransformationRules
metadata:
name: audit-json
spec:
type: File
file:
paths:
- /var/log/kube-apiserver/audit.log
transform:
parser:
type: JSON
fields:
- name: stage
type: String
- name: responseStatus
type: Int
drop_raw: trueНесколько приёмников (Loki + Splunk)
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventDestination
metadata:
name: cluster-loki
spec:
type: Loki
loki:
endpoint: https://loki.example:3100
---
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventDestination
metadata:
name: splunk-prod
spec:
type: SplunkHEC
splunkHec:
endpoint: https://splunk.example:8088
auth:
token: YOUR_TOKEN
---
apiVersion: security.deckhouse.io/v1alpha1
kind: ClusterSecurityEventConfig
metadata:
name: default
spec:
defaultSeverityThreshold: Medium
enabledSourcesMasks:
- "*"
destinations:
- cluster-loki
- splunk-prodSecurityEventLoggingTransformationRules (переиспользуемый парсер)
apiVersion: security.deckhouse.io/v1alpha1
kind: SecurityEventLoggingTransformationRules
metadata:
name: falco
namespace: kube-system
spec:
selector:
matchLabels:
app: runtime-audit-engine
containers:
- name: falco
parser:
type: JSON
fields:
- name: priority
type: String
- name: output
type: String
drop_raw: true