testing falco

Author: jegathintelops

.github/workflows/scsctl_test.yml

@@ -37,45 +37,25 @@ jobs:
         helm version
 
         # helm install falco -f custom-rules.yaml --set "falco.rules_file={/etc/falco/falco_rules.local.yaml,/etc/falco/rules.d}" --set falcoctl.artifact.install.enabled=false --set falcoctl.artifact.follow.enabled=false --set falco.json_output=true --set falco.file_output.enabled=true falcosecurity/falco
+    - name: Run falco in k3s
+      run: |
+        helm repo add falcosecurity https://falcosecurity.github.io/charts
+        helm install falco -f custom-rules.yaml --set "falco.rules_file={/etc/falco/falco_rules.local.yaml,/etc/falco/rules.d}" --set falcoctl.artifact.install.enabled=false --set falcoctl.artifact.follow.enabled=false --set falco.json_output=true --set falco.file_output.enabled=true falcosecurity/falco
+        sleep 30
     - name: Run pyroscope in k3s
       run: |
         helm repo add pyroscope-io https://pyroscope-io.github.io/helm-chart
         helm install pyroscope pyroscope-io/pyroscope
-
-        # export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=pyroscope,app.kubernetes.io/instance=pyroscope" -o jsonpath="{.items[0].metadata.name}")
-        # export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
-        
-        # sleep 30
-
-        # kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT
-
-        # kubectl get pods
-
-
-        # curl http://localhost:4040
+        sleep 30
     - name: List pods
       run: |
         kubectl get pods
-
-    # - name: Install a python cli tool from test pypi  and run it
-    #   run: |
-    #     python -m pip install --upgrade pip
-    #     python -m pip install --upgrade build
-    #     python -m pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple scsctl
-    # - uses: debianmaster/actions-k3s@master
-    #   id: k3s
-    #   with:
-    #     version: 'latest'
-    # - run: |
-    #     kubectl get nodes
-    #     helm install falco -f ./custom-rules.yaml \  
-    # --set "falco.rules_file={/etc/falco/falco_rules.local.yaml,/etc/falco/rules.d}" \
-    # --set falcoctl.artifact.install.enabled=false \
-    # --set falcoctl.artifact.follow.enabled=false \
-    # --set falco.json_output=true \
-    # --set falco.file_output.enabled=true \
-    # falcosecurity/falco
-
-    # - name: run scsctl --help
-    #   run: |
-    #     scsctl scan --pyroscope_app_name pyroscope.server --docker_image_name pyroscope/pyroscope:latest --pyroscope_url http://localhost:4040 --non_interactive
+    - name: Install a python cli tool from test pypi  and run it
+      run: |
+        python -m pip install --upgrade pip
+        python -m pip install --upgrade build
+        python -m pip install -i https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple scsctl
+    - name: run scsctl --help
+      run: |
+        export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=pyroscope,app.kubernetes.io/instance=pyroscope" -o jsonpath="{.items[0].metadata.name}")
+        scsctl scan --pyroscope_app_name pyroscope.server --docker_image_name pyroscope/pyroscope:latest --pyroscope_url http://localhost:4040 --falco_pod_name $POD_NAME --falco_target_deployment_name pyroscope --falco_enabled --non_interactive 

custom-rules.yaml

@@ -9,6 +9,5 @@ customRules:
         - scsctl
     - macro: open_file_in_container
       condition: >
-        fd.name endswith ".py" and
-        k8s.deployment.name startswith "app" and
+        k8s.deployment.name startswith "pyroscope" and
         evt.type = "openat"