change the GetPodName/Namespace method to use k8s_audit source

Signed-off-by: Thomas Labarussias <issif+github@gadz.org>

actionners/cilium/networkpolicy/networkpolicy.go

@@ -80,11 +80,11 @@ rules:
 actionner: cilium:networkpolicy
 parameters:
   allow_cidr:
-	- "192.168.1.0/24"
-	- "172.17.0.0/16"
+    - "192.168.1.0/24"
+    - "172.17.0.0/16"
   allow_namespaces:
-	- "green-ns"
-	- "blue-ns"
+    - "green-ns"
+    - "blue-ns"
 `
 )
 

actionners/gcp/function/function.go

@@ -30,16 +30,16 @@ const (
 	AllowOutput   bool   = false
 	RequireOutput bool   = false
 	Permissions   string = `{
-		"cloudfunctions.functions.get",
-		"cloudfunctions.functions.invoke"
+        "cloudfunctions.functions.get",
+        "cloudfunctions.functions.invoke"
 	}`
 	Example string = `- action: Invoke GCP Cloud Function
   actionner: gcp:function
   parameters:
     gcp_function_name: sample-function
     gcp_function_location: us-central1
     gcp_function_timeout: 10
-	`
+`
 )
 
 var (

actionners/kubernetes/annotation/annotation.go

@@ -23,7 +23,7 @@ const (
 	Name          string = "annotation"
 	Category      string = "kubernetes"
 	Description   string = "Add, modify or delete the annotations of the pod/node"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = false
 	AllowOutput   bool   = false

actionners/kubernetes/cordon/cordon.go

@@ -19,7 +19,7 @@ const (
 	Name          string = "cordon"
 	Category      string = "kubernetes"
 	Description   string = "Cordon a node"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = false
 	AllowOutput   bool   = false

actionners/kubernetes/delete/delete.go

@@ -19,7 +19,7 @@ const (
 	Name          string = "delete"
 	Category      string = "kubernetes"
 	Description   string = "Delete a resource"
-	Source        string = "k8saudit"
+	Source        string = "k8s_audit"
 	Continue      bool   = false
 	UseContext    bool   = false
 	AllowOutput   bool   = false

actionners/kubernetes/drain/drain.go

@@ -23,8 +23,8 @@ import (
 const (
 	Name          string = "drain"
 	Category      string = "kubernetes"
-	Description   string = "Drain a pod"
-	Source        string = "syscalls"
+	Description   string = "Drain a node"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = false
 	AllowOutput   bool   = false

actionners/kubernetes/exec/exec.go

@@ -17,7 +17,7 @@ const (
 	Name          string = "exec"
 	Category      string = "kubernetes"
 	Description   string = "Exec a command in a pod"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = true
 	AllowOutput   bool   = false

actionners/kubernetes/label/label.go

@@ -23,7 +23,7 @@ const (
 	Name          string = "label"
 	Category      string = "kubernetes"
 	Description   string = "Add, modify or delete the labels of the pod/node"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = false
 	AllowOutput   bool   = false

actionners/kubernetes/log/log.go

@@ -20,7 +20,7 @@ const (
 	Name          string = "log"
 	Category      string = "kubernetes"
 	Description   string = "Get logs from a pod"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = false
 	AllowOutput   bool   = true

actionners/kubernetes/script/script.go

@@ -18,7 +18,7 @@ const (
 	Name          string = "script"
 	Category      string = "kubernetes"
 	Description   string = "Run a script in a pod"
-	Source        string = "syscalls"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = true
 	UseContext    bool   = true
 	AllowOutput   bool   = false

actionners/kubernetes/sysdig/sysdig.go

@@ -20,7 +20,7 @@ const (
 	Name          string = "sysdig"
 	Category      string = "kubernetes"
 	Description   string = "Capture the syscalls packets in a pod"
-	Source        string = "syscalls, k8saudit"
+	Source        string = "syscalls, k8s_audit"
 	Continue      bool   = false
 	UseContext    bool   = false
 	AllowOutput   bool   = false
@@ -123,14 +123,6 @@ func (a Actionner) Parameters() models.Parameters {
 }
 
 func (a Actionner) Checks(event *events.Event, _ *rules.Action) error {
-	if event.Source == "k8s_audit" {
-		event.OutputFields["k8s.ns.name"] = event.OutputFields["ka.target.namespace"]
-		if event.OutputFields["ka.target.pod.name"] != "" {
-			event.OutputFields["k8s.pod.name"] = event.OutputFields["ka.target.pod.name"]
-		} else {
-			event.OutputFields["k8s.pod.name"] = event.OutputFields["ka.target.name"]
-		}
-	}
 	return k8sChecks.CheckPodExist(event)
 }
 

internal/events/events.go

@@ -58,13 +58,22 @@ func (event *Event) GetPodName() string {
 	if event.OutputFields["k8s.pod.name"] != nil {
 		return event.OutputFields["k8s.pod.name"].(string)
 	}
+	if event.OutputFields["ka.target.pod.name"] != nil {
+		return event.OutputFields["ka.target.pod.name"].(string)
+	}
+	if event.OutputFields["ka.target.name"] != nil {
+		return event.OutputFields["ka.target.name"].(string)
+	}
 	return ""
 }
 
 func (event *Event) GetNamespaceName() string {
 	if event.OutputFields["k8s.ns.name"] != nil {
 		return event.OutputFields["k8s.ns.name"].(string)
 	}
+	if event.OutputFields["ka.target.namespace"] != nil {
+		return event.OutputFields["ka.target.namespace"].(string)
+	}
 	return ""
 }