Push audit logs to loki-audits based on promtail-audit-logs label

utilitywarehouse · Jun 11, 2024 · d016bfa · d016bfa
1 parent bd17835
commit d016bfa
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 3 deletions.
diff --git a/falco/falco-exclude-logs.yaml → falco/falco-audit-logs.yaml b/falco/falco-exclude-logs.yaml → falco/falco-audit-logs.yaml
@@ -7,5 +7,4 @@ spec:
   template:
     metadata:
       annotations:
-        # Do not push logs until we have a Loki instance for audit purpose.
-        fluentbit.io/exclude: "true"
+        promtail-audit-logs: "true"
diff --git a/falco/kustomization.yaml b/falco/kustomization.yaml
@@ -8,8 +8,8 @@ resources:
   - upstream.yaml
 
 patches:
+  - path: falco-audit-logs.yaml
   - path: falco-driver-loader-privileged.yaml
-  - path: falco-exclude-logs.yaml
   - path: falco-rules-local.yaml
   - path: falcosidekick-exclude-logs.yaml
 

diff --git a/kyverno/policies/pods/audit-logs.yaml b/kyverno/policies/pods/audit-logs.yaml
@@ -0,0 +1,29 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: audit-logs-label
+  annotations:
+    policies.kyverno.io/title: Control Labelling for pushing to Loki-audits
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      We should be able to control which pods logs will be pushed to Loki-audits.
+      Since this is selected via a label we should restrict the pods that can use
+      it.
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: default
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      validate:
+        message: >-
+          Labelling pods with promtail-audit-logs: "true" is not allowed.
+        deny:
+          conditions:
+            all:
+            - key: "{{ request.object.metadata.labels.promtail-audit-logs || '' }}"
+              operator: Equals
+              value: "true"
diff --git a/kyverno/policies/pods/kustomization.yaml b/kyverno/policies/pods/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - AppArmor.yaml
+  - audit-logs.yaml
   - capabilities.yaml
   - hostIPC.yaml
   - hostNetwork.yaml

diff --git a/promtail/promtail-config.yaml b/promtail/promtail-config.yaml
@@ -40,6 +40,17 @@ scrape_configs:
           selector: '{kubernetes_namespace=~"sys-ingress-.+"} |~ "kubernetes service not found|subset not found for|service port not found|Cannot create service: service not found|Skipping service: no endpoints found|middleware .+ does not exist"'
           action: drop
           drop_counter_reason: promtail_noisy_error
+      - match:
+          selector: '{promtail-audit-logs="true"}'
+          stages:
+            - client:
+                url: http://loki-audits.sys-log.svc.cluster.aws:3100/loki/api/v1/push
+                external_labels:
+                  cloud_provider: ${CLOUD_PROVIDER}
+                  uw_environment: ${UW_ENVIRONMENT}
+                  kubernetes_cluster: ${KUBERNETES_CLUSTER}
+                  cluster: ${KUBERNETES_CLUSTER}
+                  provider: ${CLOUD_PROVIDER}
       - limit:
           rate: 10
           burst: 10