Skip to content

k8saudit-eks plugin crashes due to missing maxEventBytes configuration support #1098

New issue
New issue
Open
Open
k8saudit-eks plugin crashes due to missing maxEventBytes configuration support#1098
Labels
kind/bugSomething isn't working
@tansu-sv

Description

@tansu-sv
tansu-sv
opened on Nov 27, 2025

Hello all!

The k8saudit-eks Falco plugin crashes on EKS v1.34 when receiving large Kubernetes audit log events.
The upstream k8saudit plugin supports maxEventBytes configuration to safely limit payload parsing — but k8saudit-eks does not include this parameter.
As a result, large payloads trigger a slice bounds out of range panic inside the JSON parser (fastjson):

panic: runtime error: slice bounds out of range [1636226:1048376]

Component Versions:
AWS EKS -1.34
Falco Helm Chart - 4.22.0
Falco appVersion - 0.41.0
Plugin - k8saudit-eks v0.16.0

Stack trace

Thu Nov 27 12:40:49 2025: [libs]: Trying to open the right engine!
panic: runtime error: slice bounds out of range [1636226:1048376]

goroutine 8 [running]:
github.com/valyala/fastjson.parseValue({0xc001394000, 0xfff38}, 0x9f7d3, 0xc00003fde8?, 0x7f08bb038a00?)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:121 +0x1155
github.com/valyala/fastjson.parseObject({0xc001394000, 0xfff38}, 0x9f6fb, 0xc00003fde8, 0x3)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc001394000, 0xfff38}, 0x9f6fb, 0xc00003fde8?, 0x7f08bb038a00?)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:112 +0xfd7
github.com/valyala/fastjson.parseObject({0xc001394000, 0xfff38}, 0x9efc8, 0xc00003fde8, 0x2)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc001394000, 0xfff38}, 0x9efc8, 0xc0001bdde8?, 0x7f08bb038a00?)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:112 +0xfd7
github.com/valyala/fastjson.parseObject({0xc001394000, 0xfff38}, 0x0, 0xc00003fde8, 0x1)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc001394000, 0xfff38}, 0x0, 0x2?, 0xc0004321c0?)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:112 +0xfd7
github.com/valyala/fastjson.(*Parser).Parse(0xc0001bddd0, {0xc000f26000, 0xfff38})
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:36 +0x125
github.com/valyala/fastjson.(*Parser).ParseBytes(...)
	/go/pkg/mod/github.com/geraldcombs/[email protected]/parser.go:53
github.com/valyala/fastjson.ParseBytes({0xc000f26000?, 0xc00066d701?, 0x2?})
	/go/pkg/mod/github.com/geraldcombs/[email protected]/handy.go:157 +0x35
github.com/falcosecurity/plugins/plugins/k8saudit/pkg/k8saudit.(*Plugin).ParseAuditEventsPayload(0xc0004257a0, {0xc000f26000?, 0x0?, 0x0?})
	/go/pkg/mod/github.com/falcosecurity/plugins/plugins/[email protected]/pkg/k8saudit/source.go:265 +0x26
github.com/falcosecurity/plugins/plugins/k8saudit-eks/pkg/k8sauditeks.(*Plugin).Open.func1()
	/__w/plugins/plugins/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go:161 +0x2c7
created by github.com/falcosecurity/plugins/plugins/k8saudit-eks/pkg/k8sauditeks.(*Plugin).Open in goroutine 17
	/__w/plugins/plugins/plugins/k8saudit-eks/pkg/k8sauditeks/k8sauditeks.go:147 +0x2d1

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions