Thomas Labarussias
Thomas Labarussias
Here's my whole `values.yaml` I'm using for my demos: ```yaml= tty: true kubernetes: false customRules: override-k8saudit.yaml: |- - list: allowed_k8s_users append: true items: [eks:cloud-controller-manager, eks:vpc-resource-controller, eks:az-poller] - macro: live_endpoint append:...
Here's the minimal policy you need: https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit-eks#aws-iam-policy-permissions
Hi, I agree the documentation is not clear enough, I'll try to update the [README](https://github.com/falcosecurity/plugins/blob/master/plugins/k8saudit-eks/README.md) asap. You should not collect syscalls + eks audit logs with same the Falco pods,...
With EKS clusters yes. One daemonset to collect syscalls, and a 1 replica deployment for Falco + k8saudit-eks plugin to collect audit logs of EKS. My snippet shows how to...
If you use an Instance Profile or IRSA, in both cases, you need to attach the [IAM Policy](https://github.com/falcosecurity/plugins/blob/master/plugins/k8saudit-eks/README.md#aws-iam-policy-permissions) to a Role.
I agree, I just thought people who use EKS + Falco + k8saudit-eks are familiar enough with AWS Best Practices :sweat_smile: If you have time, you can also propose the...
Hi, Do you use helm for your deployment? If you do, by just setting `--set falcosidekick.enabled=true --set falcosidekick.webui.enabled=true` with the Falco chart, everything will be configured for you
I see, you can disable the PVC but all events will be kept in memory: `--set falcosidekick.webui.redis.storageEnabled=false`
what errors and logs do you have?