Skip to content

Commit

Permalink
Manually list FalcoEvents in the Render API.
Browse files Browse the repository at this point in the history
Signed-off-by: Rokibul Hasan <[email protected]>
  • Loading branch information
RokibulHasan7 committed Feb 9, 2024
1 parent 7f1e1ba commit 661b905
Show file tree
Hide file tree
Showing 21 changed files with 19,544 additions and 49 deletions.
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,10 @@ require (
kmodules.xyz/custom-resources v0.29.1
kmodules.xyz/go-containerregistry v0.0.12
kmodules.xyz/monitoring-agent-api v0.29.0
kmodules.xyz/resource-metadata v0.18.2-0.20240207094312-483c108adb08
kmodules.xyz/resource-metadata v0.18.2-0.20240209092240-01f2d51a9f27
kmodules.xyz/resource-metrics v0.29.0
kmodules.xyz/sets v0.29.0
kubeops.dev/falco-ui-server v0.0.3
kubeops.dev/scanner v0.0.17
kubepack.dev/lib-helm v0.29.3
sigs.k8s.io/cli-utils v0.34.0
Expand Down
9 changes: 6 additions & 3 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -1507,8 +1507,9 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20220318212150-b2ab0324ddda h1:KdHPvlgeNEDs8rae032MqFG8LVwcSEivcCjNdVOXRmg=
github.com/google/pprof v0.0.0-20220318212150-b2ab0324ddda/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
github.com/google/pprof v0.0.0-20220608213341-c488b8fa1db3 h1:mpL/HvfIgIejhVwAfxBQkwEjlhP5o0O9RAeTAjpwzxc=
github.com/google/pprof v0.0.0-20220608213341-c488b8fa1db3/go.mod h1:gSuNB+gJaOiQKLEZ+q+PK9Mq3SOzhRcw2GsGS/FhYDk=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
Expand Down Expand Up @@ -3477,12 +3478,14 @@ kmodules.xyz/monitoring-agent-api v0.29.0 h1:gpFl6OZrlMLb/ySMHdREI9EwGtnJ91oZBn9
kmodules.xyz/monitoring-agent-api v0.29.0/go.mod h1:iNbvaMTgVFOI5q2LJtGK91j4Dmjv4ZRiRdasGmWLKQI=
kmodules.xyz/offshoot-api v0.29.0 h1:GHLhxxT9jU1N8+FvOCCeJNyU5g0duYS46UGrs6AHNLY=
kmodules.xyz/offshoot-api v0.29.0/go.mod h1:5NxhBblXoDHWStx9HCDJR2KFTwYjEZ7i1Id3jelIunw=
kmodules.xyz/resource-metadata v0.18.2-0.20240207094312-483c108adb08 h1:AMiIDmXYnhj/hRb8GH80mltaRPYBgIYJTeiXvhuwYhU=
kmodules.xyz/resource-metadata v0.18.2-0.20240207094312-483c108adb08/go.mod h1:I9HeSgkshwzwUy0IDhp4yIfRFbFQJ21syeSf4NsB04o=
kmodules.xyz/resource-metadata v0.18.2-0.20240209092240-01f2d51a9f27 h1:MVAZE8rSaNNTDsnLCR/Pc3BCjeP92iNJFvl3gY3Gke4=
kmodules.xyz/resource-metadata v0.18.2-0.20240209092240-01f2d51a9f27/go.mod h1:I9HeSgkshwzwUy0IDhp4yIfRFbFQJ21syeSf4NsB04o=
kmodules.xyz/resource-metrics v0.29.0 h1:YBSVCbGdAugUqZK4igHu3fPhxvpYar4xejE6njryNM4=
kmodules.xyz/resource-metrics v0.29.0/go.mod h1:OuG/QobZ7o8GFHl/u3lqaUR0fDZDegxtV8Vdh+MNBD4=
kmodules.xyz/sets v0.29.0 h1:ZX/qOECzUob95JhhRtngJElHSlJ1UNNdwK4hTEy+nl0=
kmodules.xyz/sets v0.29.0/go.mod h1:1oi3fR9c3SWywEjBLlHC8BBMCSz0b1/W+EofKmBoj3g=
kubeops.dev/falco-ui-server v0.0.3 h1:QMSxPvbO/42o3gxzNNHg5Q6MdR0PNEHXo6c9T3ARCOA=
kubeops.dev/falco-ui-server v0.0.3/go.mod h1:yZJGDnwVkT3Fu7nzn2znsY8/37zn6bzATfze9F90+54=
kubeops.dev/scanner v0.0.17 h1:zaIggzl52gYDQAgtBJ+3hzGGkNJuVSwh0R4O7ZS3lSo=
kubeops.dev/scanner v0.0.17/go.mod h1:tNs3FF3jeJ0VoOx8beePIfs3VxThweyu11YK0yc6OhE=
kubepack.dev/lib-helm v0.29.3 h1:uVke42uI5ClhqRSD0kzgcsUXtXuSzuJ/wwpZ4tdclNw=
Expand Down
2 changes: 2 additions & 0 deletions pkg/apiserver/apiserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"os"
"time"

falco "kubeops.dev/falco-ui-server/apis/falco/v1alpha1"
scannerreports "kubeops.dev/scanner/apis/reports"
scannerreportsapi "kubeops.dev/scanner/apis/reports/v1alpha1"
scannerscheme "kubeops.dev/scanner/client/clientset/versioned/scheme"
Expand Down Expand Up @@ -131,6 +132,7 @@ func init() {
utilruntime.Must(openvizapi.AddToScheme(Scheme))
utilruntime.Must(fluxsrc.AddToScheme(Scheme))
utilruntime.Must(monitoringv1.AddToScheme(Scheme))
utilruntime.Must(falco.AddToScheme(Scheme))

// we need to add the options to empty v1
// TODO fix the server code to avoid this
Expand Down
104 changes: 101 additions & 3 deletions pkg/graph/renderer.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,15 @@ import (
"fmt"
"strings"

falco "kubeops.dev/falco-ui-server/apis/falco"
falcov1alpha1 "kubeops.dev/falco-ui-server/apis/falco/v1alpha1"
"kubeops.dev/ui-server/pkg/shared"

"github.com/pkg/errors"
openvizcs "go.openviz.dev/apimachinery/client/clientset/versioned"
"k8s.io/apimachinery/pkg/api/meta"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
kmapi "kmodules.xyz/client-go/api/v1"
Expand Down Expand Up @@ -284,9 +287,19 @@ func _renderPageBlock(kc client.Client, oc openvizcs.Interface, srcRID *kmapi.Re
}

if block.Query.Type == sharedapi.GraphQLQuery {
objs, err := ExecGraphQLQuery(kc, q, vars)
if err != nil {
return &out, err
var objs []unstructured.Unstructured

// handle FalcoEvent list call
if vars[sharedapi.GraphQueryVarTargetGroup] == falco.GroupName && vars[sharedapi.GraphQueryVarTargetKind] == falcov1alpha1.ResourceKindFalcoEvent {
objs, err = handleFalcoEventListCall(kc, block, srcID)
if err != nil {
return &out, err
}
} else {
objs, err = ExecGraphQLQuery(kc, q, vars)
if err != nil {
return &out, err
}
}

if convertToTable {
Expand Down Expand Up @@ -334,3 +347,88 @@ func _renderPageBlock(kc client.Client, oc openvizcs.Interface, srcRID *kmapi.Re
}
return &out, nil
}

func handleFalcoEventListCall(kc client.Client, block *rsapi.PageBlockLayout, srcID *kmapi.ObjectID) ([]unstructured.Unstructured, error) {
var objs []unstructured.Unstructured

if srcID.Kind == "Pod" {
selector := labels.SelectorFromSet(map[string]string{
"k8s.pod.name": srcID.Name,
"k8s.ns.name": srcID.Namespace,
})

var list unstructured.UnstructuredList
list.SetGroupVersionKind(falcov1alpha1.SchemeGroupVersion.WithKind(falcov1alpha1.ResourceKindFalcoEvent))

err := kc.List(context.TODO(), &list, &client.ListOptions{LabelSelector: selector})
if meta.IsNoMatchError(err) {
return nil, err
} else if err == nil {
objs = append(objs, list.Items...)
}
return objs, nil
}

// list connected pods with this src
pods, err := listPods(kc, block, srcID)
if err != nil {
return nil, err
}

for _, pod := range pods {
name, namespace, err := extractMetadata(pod)
if err != nil {
return nil, err
}

selector := labels.SelectorFromSet(map[string]string{
"k8s.pod.name": name,
"k8s.ns.name": namespace,
})

var list unstructured.UnstructuredList
list.SetGroupVersionKind(falcov1alpha1.SchemeGroupVersion.WithKind(falcov1alpha1.ResourceKindFalcoEvent))

err = kc.List(context.TODO(), &list, &client.ListOptions{LabelSelector: selector})
if meta.IsNoMatchError(err) {
return nil, err
} else if err == nil {
objs = append(objs, list.Items...)
}
}

return objs, nil
}

func listPods(kc client.Client, block *rsapi.PageBlockLayout, srcID *kmapi.ObjectID) ([]unstructured.Unstructured, error) {
block.Query.ByLabel = kmapi.EdgeLabelOffshoot
podQ, podVars, err := block.GraphQuery(srcID.OID())
if err != nil {
return nil, err
}

podVars[sharedapi.GraphQueryVarTargetGroup] = ""
podVars[sharedapi.GraphQueryVarTargetKind] = "Pod"
pods, err := ExecGraphQLQuery(kc, podQ, podVars)
if err != nil {
return nil, err
}

return pods, nil
}

func extractMetadata(pod unstructured.Unstructured) (string, string, error) {
metadata, ok := pod.Object["metadata"].(map[string]interface{})
if !ok {
return "", "", errors.New("metadata not found for pod")
}
name, ok := metadata["name"].(string)
if !ok {
return "", "", errors.New("name not found in pod metadata")
}
namespace, ok := metadata["namespace"].(string)
if !ok {
return "", "", errors.New("namespace not found in pod metadata")
}
return name, namespace, nil
}
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,3 @@ spec:
blocks:
- kind: Custom
name: Policy Report
- actions:
create: Never
displayMode: List
kind: Connection
name: Pod Security Policies
query:
byLabel: policy
type: GraphQL
ref:
group: policy
kind: PodSecurityPolicy
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,6 @@ metadata:
k8s.io/version: v1
name: core-v1-namespaces
spec:
connections:
- labels:
- event
selector:
matchLabels:
k8s.ns.name: '{.metadata.name}'
target:
apiVersion: falco.appscode.com/v1alpha1
kind: FalcoEvent
type: MatchSelector
resource:
group: ""
kind: Namespace
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,6 @@ metadata:
k8s.io/version: v1
name: core-v1-nodes
spec:
connections:
- labels:
- event
selector:
matchLabels:
k8s.node.name: '{.metadata.name}'
target:
apiVersion: falco.appscode.com/v1alpha1
kind: FalcoEvent
type: MatchSelector
resource:
group: ""
kind: Node
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -71,16 +71,6 @@ spec:
apiVersion: core.k8s.appscode.com/v1alpha1
kind: PodView
type: MatchName
- labels:
- event
selector:
matchLabels:
k8s.ns.name: '{.metadata.namespace}'
k8s.pod.name: '{.metadata.name}'
target:
apiVersion: falco.appscode.com/v1alpha1
kind: FalcoEvent
type: MatchSelector
resource:
group: ""
kind: Pod
Expand Down
Loading

0 comments on commit 661b905

Please sign in to comment.