ks8audit-eks plugin does not convert Since parameter to seconds #807
Description
Describe the bug
We are trying to implement Falco using the ks8audit-eks plugin and a Helm chart. We want to be able to capture older logs in case Falco goes down, but the since parameter doesn't work correctly. We found that this is due to a bug in the conversion oft he configuration option here:
We tried to use a large integer to compensate this bug but this doesn't work due to a different bug in the yaml parser of Helm (kubernetes-sigs/yaml#45).
options := cloudwatchlogs.CreateOptions(
time.Duration(p.Config.Shift), // This should also be multiplied by time.Second
time.Duration(p.Config.PollingInterval*uint64(time.Second)),
p.Config.BufferSize,
)How to reproduce it
Install Falco and the falco plugin using a helm chart with these values:
falco:
rules_files:
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/k8s_events_rules.yaml
- /etc/falco/rules.d
plugins:
- name: k8saudit-eks
library_path: libk8saudit-eks.so
init_config:
shift: 3600
polling_interval: 60
use_async: false
buffer_size: 1000
open_params: "ebstudio-experimental"
- name: json
library_path: libjson.so
init_config: ""
load_plugins: [k8saudit-eks, json]Expected behaviour
The shift parameter should become 1 hour, and we shjould be able to collect older logs in case Falco went down.
Environment
-
Falco version:
The version deployed by the official helm chart. -
System info:
-
Cloud provider or hardware configuration: Amazon EKS
-
OS: Linux
-
Installation method: Helm chart.