revamp the policy reporter output

Signed-off-by: Thomas Labarussias <issif_github@gadz.org>

.github/workflows/lint.yml

@@ -23,5 +23,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
         with:
-          version: v1.56
+          version: v1.57
           args: --timeout=5m

.golangci.yml

@@ -1,7 +1,8 @@
 run:
   deadline: 5m
-  skip-files:
-  - "zz_generated.*\\.go$"
+issues:
+  exclude-files:
+    - "zz_generated.*\\.go$"
 linters:
   disable-all: true
   enable:

Makefile

@@ -41,7 +41,7 @@ TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin)
 GO_INSTALL = ./hack/go_install.sh
 
 # Binaries.
-GOLANGCI_LINT_VER := v1.56.2
+GOLANGCI_LINT_VER := v1.57.2
 GOLANGCI_LINT_BIN := golangci-lint
 GOLANGCI_LINT := $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)
 

config.go

@@ -370,6 +370,7 @@ func getConfig() *types.Configuration {
 	v.SetDefault("PolicyReport.Kubeconfig", "")
 	v.SetDefault("PolicyReport.MinimumPriority", "")
 	v.SetDefault("PolicyReport.MaxEvents", 1000)
+	v.SetDefault("PolicyReport.FalcoNamespace", "")
 	v.SetDefault("PolicyReport.PruneByPriority", false)
 
 	v.SetDefault("Rabbitmq.URL", "")

config_example.yaml

@@ -388,7 +388,7 @@ fission:
 policyreport:
   enabled: false # if true policyreport output is enabled
   kubeconfig: "~/.kube/config" # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
-  failthreshold: 4 # events with priority above this threshold are mapped to fail in PolicyReport Summary and lower that those are mapped to warn (default=4)
+  falconamespace: "" # Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
   maxevents: 1000 # the max number of events per report(default: 1000)
   prunebypriority: false # if true; the events with lowest severity are pruned first, in FIFO order (default: false)
 

docs/outputs/policy_report.md

@@ -15,12 +15,12 @@
 
 ## Configuration
 
-| Setting                        | Env var                        | Default value    | Description                                                                                                                         |
+|            Setting             |            Env var             |  Default value   |                                                             Description                                                             |
 | ------------------------------ | ------------------------------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
 | `policyreport.enabled`         | `POLICYREPORT_ENABLED`         |                  | If true; policyreport output is **enabled**                                                                                         |
 | `policyreport.kubeconfig`      | `POLICYREPORT_KUBECONFIG`      | `~/.kube/config` | Kubeconfig file to use (only if falcosidekick is running outside the cluster)                                                       |
+| `policyreport.falconamespace`  | `POLICYREPORT_FALCONAMESPACE`  |                  | Set the namespace where Falco is running (only if falcosidekick is running outside the cluster)                                     |
 | `policyreport.maxevents`       | `POLICYREPORT_MAXEVENTS`       | `1000`           | The max number of events that can be in a policyreport                                                                              |
-| `policyreport.prunebypriority` | `POLICYREPORT_PRUNEBYPRIORITY` | `false`          | If true; the events with lowest severity are pruned first, in FIFO order                                                            |
 | `policyreport.minimumpriority` | `POLICYREPORT_MINIMUMPRIORITY` | `""` (= `debug`) | Minimum priority of event for using this output, order is `emergency,alert,critical,error,warning,notice,informational,debug or ""` |
 
 > [!NOTE]
@@ -31,16 +31,19 @@ The Env var values override the settings from yaml file.
 ```yaml
 policyreport:
   enabled: false  # if true; policyreport output is enabled
-  kubeconfig: "~/.kube/config"  # Kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  kubeconfig: "~/.kube/config"  # kubeconfig file to use (only if falcosidekick is running outside the cluster)
+  falconamespace: ""  # set the namespace where Falco is running (only if falcosidekick is running outside the cluster)
   maxevents: 1000 # the max number of events that can be in a policyreport (default: 1000)
-  prunebypriority: false # if true; the events with lowest severity are pruned first, in FIFO order (default: false)
   minimumpriority: "debug" # events with a priority above this are mapped to fail in PolicyReport Summary and lower that those are mapped to warn (default="")
 ```
 
 ## Additional info
 
 ### Installing Policy Report Custom Resource Definition (CRD)
 
+> [!WARNING]
+This output works only for the sources `syscalls` and `k8saudit`.
+
 > [!WARNING]
 Installation of the Policy Report Custom Resource Definition (CRD) is a prerequisite for using the Policy Report output.
 

handlers.go

@@ -18,7 +18,11 @@ import (
 	"github.com/google/uuid"
 )
 
-const testRule string = "Test rule"
+const (
+	testRule string = "Test rule"
+	syscalls string = "syscalls"
+	syscall  string = "syscall"
+)
 
 // mainHandler is Falco Sidekick main handler (default).
 func mainHandler(w http.ResponseWriter, r *http.Request) {
@@ -103,7 +107,7 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 	}
 
 	if falcopayload.Source == "" {
-		falcopayload.Source = "syscalls"
+		falcopayload.Source = syscalls
 	}
 
 	falcopayload.UUID = uuid.New().String()
@@ -193,8 +197,6 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) {
 		}
 	}
 
-	fmt.Println(falcopayload.String())
-
 	if config.Debug {
 		log.Printf("[DEBUG] : Falco's payload : %v\n", falcopayload.String())
 	}
@@ -383,7 +385,9 @@ func forwardEvent(falcopayload types.FalcoPayload) {
 		go fissionClient.FissionCall(falcopayload)
 	}
 	if config.PolicyReport.Enabled && (falcopayload.Priority >= types.Priority(config.PolicyReport.MinimumPriority)) {
-		go policyReportClient.UpdateOrCreatePolicyReport(falcopayload)
+		if falcopayload.Source == syscalls || falcopayload.Source == syscall || falcopayload.Source == "k8saudit" {
+			go policyReportClient.UpdateOrCreatePolicyReport(falcopayload)
+		}
 	}
 
 	if config.Yandex.S3.Bucket != "" && (falcopayload.Priority >= types.Priority(config.Yandex.S3.MinimumPriority) || falcopayload.Rule == testRule) {
@@ -438,7 +442,7 @@ func forwardEvent(falcopayload types.FalcoPayload) {
 		go dynatraceClient.DynatracePost(falcopayload)
 	}
 
-	if config.OTLP.Traces.Endpoint != "" && (falcopayload.Priority >= types.Priority(config.OTLP.Traces.MinimumPriority)) && (falcopayload.Source == "syscall" || falcopayload.Source == "syscalls") {
+	if config.OTLP.Traces.Endpoint != "" && (falcopayload.Priority >= types.Priority(config.OTLP.Traces.MinimumPriority)) && (falcopayload.Source == syscall || falcopayload.Source == syscalls) {
 		go otlpClient.OTLPTracesPost(falcopayload)
 	}
 }