Falcosidekick: Unable to receive alerts on teams

[afzaalmd]

Describe the bug

I have installed falco and falcosidekick on kubernetes namespace using helm with webhook config pods are running successfully but I am unable to receive the alert.

helm upgrade falco falcosecurity/falco --namespace falco
--set falcosidekick.enabled=true
--set falcosidekick.config.teams.webhookurl=https://webhookurl
--set falcosidekick.config.teams.activityimage=image url
--set falcosidekick.config.teams.outputformat=all
--set falcosidekick.fullfqdn=true
--set falcosidekick.config.teams.minimumpriority=debug

[Issif]

Hi,

Have you tried by disabling --set falcosidekick.fullfqdn=false?

[afzaalmd]

Hello Issif,

I Just tried but getting same error message...
It is using driver modernEbpf.

[Issif]

Can you list the services you have in the falco namespace and check the value configured for the http output of falco in its configmap, please

[afzaalmd]

I checked it and value configure for http_output is enabled:true

[afzaalmd]

Can this we related with this issue falcosecurity/charts#793 but this was applicable for driver type gVisor.

[Issif]

Can this we related with this issue falcosecurity/charts#793 but this was applicable for driver type gVisor.

This one was related to gVisor which create another level of abstraction.

Can you check the svc for falcosidekick is correctly created too.

Do you have any particular DNS and/or Network configuration in your cluster?

[afzaalmd]

Hello Issif,

Here is the list of service in falco namespace:

we also have Ingress and egress network policy in each namespace which restrict to and from non whitelisted connection for other than falco namespace, only core cluster namespaces.

[Issif]

It seems good to me, the issue is at the DNS level. If you create a pod with curl inside and try to curl -sI http://falco-falcosidekick.falco.svc.cluster.local:2801, does it work?

[afzaalmd]

Hello Issif,

I tried to run curl -sI http://falco-falcosidekick.falco.svc.cluster.local:2801 in side pod but curl was not supported because of OPA policy, any way I tried to use the same deployment steps in higher tenant cluster and some how alerts are working now. Thanks for your support.
Hence I am closing this issue.

[afzaalmd]

Notice Setuid or setgid bit is set via chmod (fd= filename=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/10369/fs/home/falcosidekick mode=S_IXOTH|S_IROTH|S_IXGRP|S_IRGRP|S_IXUSR|S_IWUSR|S_IRUSR|S_ISGID evt_type=fchmodat user=root user_uid=0 user_loginuid=-1 process=containerd proc_exepath=/usr/bin/containerd parent=systemd command=containerd --config=/etc/containerd/config.toml terminal=0 container_id=host container_image= container_image_tag= container_name=host k8s_ns= k8s_pod_name=)
file mentioned in the log (/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/10369/fs/home/falcosidekick). Is it necessary for this file to have setuid/setgid permissions?

[Issif]

My proposal was to test with a debian pod or else, to check the DNS resolution.

For the Setuid, Falcosidekick runs with a user other than root (uid/gid 1234/1234) for security reasons. See the Dockerfile:

falcosidekick/Dockerfile

Line 12 in 4ebc68c

USER 1234