diff --git a/config.go b/config.go index c5f514cce..bc7f384e4 100644 --- a/config.go +++ b/config.go @@ -379,6 +379,20 @@ func getConfig() *types.Configuration { } } + if value, present := os.LookupEnv("TEMPLATEDFIELDS"); present { + templatedfields := strings.Split(value, ",") + for _, label := range templatedfields { + tagkeys := strings.Split(label, ":") + if len(tagkeys) == 2 { + if _, err := template.New("").Parse(tagkeys[1]); err != nil { + log.Printf("[ERROR] : Error parsing templated fields %v : %s", tagkeys[0], err) + } else { + c.Templatedfields[tagkeys[0]] = tagkeys[1] + } + } + } + } + if value, present := os.LookupEnv("WEBHOOK_CUSTOMHEADERS"); present { customheaders := strings.Split(value, ",") for _, label := range customheaders { diff --git a/config_example.yaml b/config_example.yaml index 07642fbe2..b0707efe9 100644 --- a/config_example.yaml +++ b/config_example.yaml @@ -5,6 +5,8 @@ customfields: # custom fields are added to falco events and metrics Akey: "AValue" Bkey: "BValue" Ckey: "CValue" +templatedfields: # templated fields are added to falco events and metrics, it uses Go template + output_fields values + Dkey: '{{ or (index . "k8s.ns.labels.foo") "bar" }}' mutualtlsfilespath: "/etc/certs" # folder which will used to store client.crt, client.key and ca.crt files for mutual tls (default: "/etc/certs") slack: diff --git a/handlers.go b/handlers.go index 2d88a565d..a25c16b62 100644 --- a/handlers.go +++ b/handlers.go @@ -8,6 +8,7 @@ import ( "log" "net/http" "strings" + "text/template" "time" "github.com/falcosecurity/falcosidekick/types" @@ -107,6 +108,24 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) { } } + if len(config.Templatedfields) > 0 { + if falcopayload.OutputFields == nil { + falcopayload.OutputFields = make(map[string]interface{}) + } + for key, value := range config.Templatedfields { + tmpl, err := template.New("").Parse(value) + if err != nil { + log.Printf("[ERROR] : Parsing error for templated field '%v': %v\n", key, err) + continue + } + v := new(bytes.Buffer) + if err := tmpl.Execute(v, falcopayload.OutputFields); err != nil { + log.Printf("[ERROR] : Parsing error for templated field '%v': %v\n", key, err) + } + falcopayload.OutputFields[key] = v.String() + } + } + nullClient.CountMetric("falco.accepted", 1, []string{"priority:" + falcopayload.Priority.String()}) stats.Falco.Add(strings.ToLower(falcopayload.Priority.String()), 1) promLabels := map[string]string{"rule": falcopayload.Rule, "priority": falcopayload.Priority.String(), "k8s_ns_name": kn, "k8s_pod_name": kp} @@ -132,7 +151,7 @@ func newFalcoPayload(payload io.Reader) (types.FalcoPayload, error) { if config.Debug { body, _ := json.Marshal(falcopayload) - log.Printf("[DEBUG] : Falco's payload : %v", string(body)) + log.Printf("[DEBUG] : Falco's payload : %v\n", string(body)) } return falcopayload, nil diff --git a/types/types.go b/types/types.go index 4bc54baa3..58d7bf0d1 100644 --- a/types/types.go +++ b/types/types.go @@ -33,6 +33,7 @@ type Configuration struct { ListenAddress string ListenPort int Customfields map[string]string + Templatedfields map[string]string Prometheus prometheusOutputConfig Slack SlackOutputConfig Cliq CliqOutputConfig