Views:

GKE audit logs are available through Cloud Pub/Sub. Use the k8saudit-gke Falco plugin.

Before you begin

  • Falco built with k8saudit-gke and json plugins.
  • GKE cluster with Pub/Sub access scope enabled.
  • Workload Identity enabled on the cluster.
Note
Note
GKE does not support modifying node group access scopes after creation. Create a new node group with Pub/Sub access if needed.

Procedure

  1. Create the GCP resources.
    # Variables
PROJECT_ID="${your gcp project id}"
TOPIC="${your pub/sub topic}" # example: trendmicro-container-security-audit-log-topic
SUBSCRIPTION="${your pub/sub subscription}" # example: trendmicro-container-security-audit-log-ns4rhmfdse
CLUSTER_NAME="${your gke cluster name}"
SINK_NAME="${your sink name}" # example: trendmicro-container-security-audit-log-sink
SERVICE_ACCOUNT="${your service account name}" # example: trendmicro-audit-sa

# Create Pub/Sub topic and subscription
gcloud pubsub topics create "$TOPIC" --project="$PROJECT_ID"
gcloud pubsub subscriptions create "$SUBSCRIPTION" --topic="$TOPIC" --project="$PROJECT_ID"

# Create service account
gcloud iam service-accounts create "$SERVICE_ACCOUNT" \
  --project="$PROJECT_ID" \
  --display-name="Trendmicro Container Security Audit Log Service Account"

# Grant permissions
gcloud projects add-iam-policy-binding "$PROJECT_ID" \
  --member="serviceAccount:${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/pubsub.subscriber"

# Bind Workload Identity
gcloud iam service-accounts add-iam-policy-binding \
  "${SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --project="$PROJECT_ID" \
  --role="roles/iam.workloadIdentityUser" \
  --member="serviceAccount:${PROJECT_ID}.svc.id.goog[trendmicro-system/audit-log-collector-trendmicro-container-security]"

# Create log sink
gcloud logging sinks create "$SINK_NAME" \
  "pubsub.googleapis.com/projects/$PROJECT_ID/topics/$TOPIC" \
  --log-filter="resource.type=\"k8s_cluster\" AND protoPayload.@type=\"type.googleapis.com/google.cloud.audit.AuditLog\" AND resource.labels.cluster_name=\"$CLUSTER_NAME\"" \
  --project="$PROJECT_ID"

# Grant sink writer permissions
WRITER_IDENTITY=$(gcloud logging sinks describe "$SINK_NAME" --project="$PROJECT_ID" --format="value(writerIdentity)")
gcloud pubsub topics add-iam-policy-binding "$TOPIC" \
  --project="$PROJECT_ID" \
  --member="$WRITER_IDENTITY" \
  --role="roles/pubsub.publisher"
  2. Update overrides.yaml to enable audit log collection.
    visionOne:
    bootstrapToken: ...
    endpoint: ...
    exclusion:
        namespaces: [kube-system]
    ...
auditLogCollection:
    enabled: true
    provider: gke
    gke:
        gcpProjectId: "${gcp project id from step 1}"
        pubSubSubscription: "${pub sub subscription name from step 1}"
        serviceAccount: "${service account name from step 1}"
Comments (0)