From 1a1b55ac97e10f3911d95a4ba2bc10c76d0b7906 Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 20 Feb 2018 09:10:50 -0800 Subject: [PATCH 1/2] Use kubernetes.default to reach k8s api server Originally raised in #296, but since then we documented rbac and without-rbac methods, so mirroring the change here. --- .../k8s-with-rbac/falco-daemonset-configmap.yaml | 2 +- .../k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml index 4b979f05006..73bf3991176 100644 --- a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml +++ b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml @@ -19,7 +19,7 @@ spec: image: sysdig/falco:latest securityContext: privileged: true - args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk"] + args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk"] volumeMounts: - mountPath: /host/var/run/docker.sock name: docker-socket diff --git a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml index 8e8d75e50c1..fbb97775aad 100644 --- a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml +++ b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml @@ -18,7 +18,7 @@ spec: image: sysdig/falco:latest securityContext: privileged: true - args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o", "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"] + args: [ "/usr/bin/falco", "-K", "/var/run/secrets/kubernetes.io/serviceaccount/token", "-k", "https://kubernetes.default", "-pk", "-o", "json_output=true", "-o", "program_output.enabled=true", "-o", "program_output.program=jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/see_your_slack_team/apps_settings_for/a_webhook_url"] volumeMounts: - mountPath: /host/var/run/docker.sock name: docker-socket From 1595081ae4ba15e19fc8ae243a339bc85159226c Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Tue, 20 Feb 2018 09:21:11 -0800 Subject: [PATCH 2/2] Mount docker socket/dev read-write This matches the direct docker run commands, which also mount those resources read-write. --- .../k8s-with-rbac/falco-daemonset-configmap.yaml | 2 -- .../k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml index 73bf3991176..2787c5ec5f7 100644 --- a/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml +++ b/examples/k8s-using-daemonset/k8s-with-rbac/falco-daemonset-configmap.yaml @@ -23,10 +23,8 @@ spec: volumeMounts: - mountPath: /host/var/run/docker.sock name: docker-socket - readOnly: true - mountPath: /host/dev name: dev-fs - readOnly: true - mountPath: /host/proc name: proc-fs readOnly: true diff --git a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml index fbb97775aad..b70d9784985 100644 --- a/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml +++ b/examples/k8s-using-daemonset/k8s-without-rbac/falco-daemonset.yaml @@ -22,10 +22,8 @@ spec: volumeMounts: - mountPath: /host/var/run/docker.sock name: docker-socket - readOnly: true - mountPath: /host/dev name: dev-fs - readOnly: true - mountPath: /host/proc name: proc-fs readOnly: true