plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon falcosecurity

Enable Workload Identity Support for Falco k8saudit-aks Plugin

Open goutamtadi1 opened this issue 8 months ago • 4 comments

Motivation

Currently, the Falco k8saudit-aks plugin requires connection strings to authenticate with Azure resources, which introduces security risks and management overhead. This feature request proposes adding support for Azure Workload Identity, which provides a more secure, manageable, and cloud-native approach to authentication.

Feature

Enhance the Falco k8saudit-aks plugin to support Azure Workload Identity for authentication instead of relying solely on connection strings.

Alternatives

Additional context

This would require setting the following params instead of existing connection string attributes.

	EventHubNamespace string `json:"event_hub_namespace" jsonschema:"title=event_hub_namespace,description=The name of the EventHub namespace to read from"`
		
	BlobStorageAccountName   string `json:"blob_storage_account_name" jsonschema:"title=blob_storage_account_name,description=The name of the Blob Storage account to use as checkpoint store"`

goutamtadi1 avatar May 21 '25 14:05 goutamtadi1

Hi,

I also need this functionality for environments that pay attention to security and identity management issues. It doesn't seem difficult to implement. Microsoft provides this functionality in its SDK. It's just a matter of changing the auth logic in your plugin.

Propably instead of using the NewConsumerClientFromConnectionString() method, you should use NewConsumerClient(), and for its configuration, retrieve the appropriate environment variables.

I also think that this is a necessary change, and I am waiting for the implementation.

nmr avatar Jun 06 '25 11:06 nmr

I made a similar change to my fork here. I will probably create a proposal and share soon for the same

goutamtadi1 avatar Jun 10 '25 13:06 goutamtadi1

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 08 '25 16:09 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Oct 08 '25 16:10 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Nov 07 '25 16:11 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

poiana avatar Nov 07 '25 16:11 poiana