release announcement of Falco AKS audit plugin #1447
Conversation
Signed-off-by: Igor Eulalio <igor.eulalio@sysdig.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: IgorEulalio The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
IgorEulalio
changed the title
|
|
||
| ## Configuring Falco to use AKS audit logs plugin | ||
|
|
||
| In your falco.yaml file, you must add the plugin configuration and later enable the plugin |
There was a problem hiding this comment.
We should add instructions on how to install the plugin first.
This may be as simple as downloading the plugin into the destination folder or just using falcoctl to install the plugin.
| Before starting Falco, configure the following environment variables: | ||
| ```yaml | ||
| export BLOB_STORAGE_CONTAINER_NAME=${blob_storage_container_name} | ||
| export BLOB_STORAGE_CONNECTION_STRING=${blob_storage_connection_string} | ||
| export EVENTHUB_NAMESPACE_CONNECTION_STRING=${event_hub_namespace_connection_string} | ||
| export EVENTHUB_NAME=${event_hub_name} | ||
| ``` |
There was a problem hiding this comment.
We generally discourage users from using environment variables to configure the plugin. It would be preferable to pass these values via the YALM configuration above.
| - /etc/falco/falco_rules.local.yaml | ||
| - /etc/falco/falco_aks_audit.yaml | ||
|
|
||
| priority: debug |
|
|
||
| ```yaml | ||
| 10:52:03.348668000: Debug K8s Audit Event Detected: verb=create, user=aksService, groups=(system:masters,system:authenticated), target=<NA> | ||
| ``` |
There was a problem hiding this comment.
Can we append a Let's meet section (or something like that) at the bottom?
The goal is to invite users to join the community.
What type of PR is this?
Any specific area of the project related to this PR?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: