This program is a Go version of the following program: https://github.com/sysdiglabs/aks-audit-log. The purpose of aks-audit-log-go is to receive Kubernetes audit logs and forward them to Falco runtime security tool that can do detections based on runtime security rules for Kubernetes API calls (using the k8s-audit plugin).
There are four packages: main, httpclient, forwarder and eventhub.
This package does two things: (1) it sets the configurations using the environment variables and (2) starts a server to maintain statistics.
This package is responsible for receiving the events from the event log and unmarshalling the event for it to be sent into a post request.
This package ensures that POST request to the Falco pod (with k8s-audit plugin) is properly sent.
This package sends the http POST request to the Falco pod (with k8s-audit plugin) pod.
There is a .envrc.example file that contains the environment variables to be configured. You can save a copy as .envrc and then source it using source .envrc to load the environment variables into your shell session.
Note: POSTMAXRETRIES, POSTRETRYINCREMENTALDELAY and LOGLEVEL are optional variables. They will default to 5 for POSTMAXRETRIES, 1000 for POSTRETRYINCREMENTALDELAY and "info" for LOGLEVEL.
The LOGLEVEL environment variable sets what is sent to its log. The following log levels are allowed (from higest to lowest): panic, fatal, error, warn, info, debug and trace.
Open a terminal and move to the directory for this application.
-
Build the code:
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s" -a -installsuffix cgo . -
Run the binary (after building you will have an executable binary file in the current directory):
./aks-audit-log-go