delete pod entegration

Author: developer-guy

go.mod

@@ -0,0 +1,8 @@
+module github.com/developer-guy/kubernetes-response-engine-based-on-event-driven-workflow
+
+go 1.16
+
+require (
+	k8s.io/apimachinery v0.21.0
+	k8s.io/client-go v0.21.0
+)

go.sum

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: falco-pod-delete
+  namespace: argo
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: falco-pod-delete-cluster-role
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: falco-pod-delete-cluster-role-binding
+roleRef:
+  kind: ClusterRole
+  name: falco-pod-delete-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: falco-pod-delete
+    namespace: argo

hacks/delete-pod-rbac.yaml

@@ -11,4 +11,4 @@ customRules:
     - macro: user_known_contact_k8s_api_server_activities
       condition: >
         (container.image.repository = "gcr.io/tekton-releases/github.com/tektoncd/triggers/cmd/eventlistenersink") or
-        (container.image.repository = "quay.io/nissessenap/poddeleter") or (container.image.repository = "argoproj/sensor")
+        (container.image.repository = "devopps/kubernetes-response-engine-based-on-event-driven-workflow") or (container.image.repository = "argoproj/sensor")

kind-config.yaml renamed to hacks/kind-config.yaml

@@ -0,0 +1,110 @@
+package main
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"log"
+	"os"
+	"time"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+)
+
+// Alert falco data structure
+type Alert struct {
+	Output       string    `json:"output"`
+	Priority     string    `json:"priority"`
+	Rule         string    `json:"rule"`
+	Time         time.Time `json:"time"`
+	OutputFields struct {
+		ContainerID              string      `json:"container.id"`
+		ContainerImageRepository interface{} `json:"container.image.repository"`
+		ContainerImageTag        interface{} `json:"container.image.tag"`
+		EvtTime                  int64       `json:"evt.time"`
+		FdName                   string      `json:"fd.name"`
+		K8SNsName                string      `json:"k8s.ns.name"`
+		K8SPodName               string      `json:"k8s.pod.name"`
+		ProcCmdline              string      `json:"proc.cmdline"`
+	} `json:"output_fields"`
+}
+
+func main() {
+	criticalNamespaces := map[string]bool{
+		"kube-system":     true,
+		"kube-public":     true,
+		"kube-node-lease": true,
+		"falco":           true,
+	}
+
+	var falcoEvent Alert
+
+	bodyReq := os.Getenv("BODY")
+    log.Println("Body", bodyReq)
+    var data map[string]interface{}
+    _ = json.Unmarshal([]byte(bodyReq), &data)
+    
+    bodyReqDecoded , _:= base64.StdEncoding.DecodeString(data["data"].(string))
+	if bodyReq == "" {
+		log.Fatalf("Need to get environment variable BODY")
+	}
+
+    log.Println("Decoded:", string(bodyReqDecoded))
+    
+    var body map[string]interface{}
+    _ = json.Unmarshal(bodyReqDecoded, &body)
+
+
+    bodyReqByte, _ := json.Marshal(body["body"])
+
+    err := json.Unmarshal(bodyReqByte, &falcoEvent)
+	if err != nil {
+		log.Fatalf("The data doesent match the struct %v", err)
+	}
+
+	kubeClient, err := setupKubeClient()
+	if err != nil {
+		log.Fatalf("Unable to create in-cluster config: %v", err)
+	}
+
+	err = deletePod(kubeClient, falcoEvent, criticalNamespaces)
+	if err != nil {
+		log.Fatalf("Unable to delete pod due to err %v", err)
+	}
+}
+
+// setupKubeClient
+func setupKubeClient() (*kubernetes.Clientset, error) {
+	config, err := rest.InClusterConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// creates the clientset
+	kubeClient, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+	return kubeClient, nil
+}
+
+// deletePod, if not part of the criticalNamespaces the pod will be deleted
+func deletePod(kubeClient *kubernetes.Clientset, falcoEvent Alert, criticalNamespaces map[string]bool) error {
+	podName := falcoEvent.OutputFields.K8SPodName
+	namespace := falcoEvent.OutputFields.K8SNsName
+	log.Printf("PodName: %v & Namespace: %v", podName, namespace)
+
+	log.Printf("Rule: %v", falcoEvent.Rule)
+	if criticalNamespaces[namespace] {
+		log.Printf("The pod %v won't be deleted due to it's part of the critical ns list: %v ", podName, namespace)
+		return nil
+	}
+
+	log.Printf("Deleting pod %s from namespace %s", podName, namespace)
+	err := kubeClient.CoreV1().Pods(namespace).Delete(context.Background(), podName, metaV1.DeleteOptions{})
+	if err != nil {
+		return err
+	}
+	return nil
+}

values.yaml renamed to hacks/values.yaml

@@ -25,21 +25,23 @@ spec:
                 name: special-trigger
                 namespace: argo
               spec:
-                entrypoint: whalesay
+                serviceAccountName: falco-pod-delete
+                entrypoint: delete-pod
                 arguments:
                   parameters:
-                    - name: body
+                    - name: falco_event
                       # the value will get overridden by event payload from test-dep
                       value: "{}"
                 templates:
-                  - name: whalesay
+                  - name: delete-pod
                     inputs:
                       parameters:
-                        - name: body
+                        - name: falco_event
                     container:
-                      image: docker/whalesay:latest
-                      command: [cowsay]
-                      args: ["{{inputs.parameters.body}}"]
+                      image: devopps/kubernetes-response-engine-based-on-event-driven-workflow@sha256:22ee203a33fe88f0f99968daebdcea0ca52c8a3d6f7af4c823ed78ac15b7c5db
+                      env:
+                        - name: BODY
+                          value: "{{inputs.parameters.falco_event}}"
           parameters:
             - src:
                 dependencyName: test-dep