From 3c25fd26c9a83bc475269fd362ff5e0cb983b38c Mon Sep 17 00:00:00 2001 From: Quentin Bisson Date: Mon, 23 Sep 2024 08:08:40 +0200 Subject: [PATCH] Fix falco event alerts (#1369) --- CHANGELOG.md | 1 + .../shield/alerting-rules/falco.rules.yml | 16 ++++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65c427275..8f3be82ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed - Dashboard links in alertmanager and mimir rules +- Fix falco events alerts node label to hostname as node does not exist. ## [4.15.2] - 2024-09-17 diff --git a/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml b/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml index a3db1fbab..61cd126f2 100644 --- a/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml +++ b/helm/prometheus-rules/templates/platform/shield/alerting-rules/falco.rules.yml @@ -16,8 +16,8 @@ spec: - alert: FalcoCriticalAlertFiring annotations: description: |- - {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.node }}. - {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.node }}.{{ end }}`}} + {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.hostname }}. + {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.hostname }}.{{ end }}`}} opsrecipe: falco-alert/ expr: increase(falco_events{priority=~"0|1|2|3"}[10m] ) > 0 labels: @@ -32,8 +32,8 @@ spec: - alert: FalcoMediumAlertFiring annotations: description: |- - {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.node }}. - {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.node }}.{{ end }}`}} + {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.hostname }}. + {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.hostname }}.{{ end }}`}} opsrecipe: falco-alert/ expr: increase(falco_events{priority=~"4|5"}[10m] ) > 0 labels: @@ -47,8 +47,8 @@ spec: - alert: FalcoInformationalAlert annotations: description: |- - {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.node }}. - {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.node }}.{{ end }}`}} + {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.hostname }}. + {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.hostname }}.{{ end }}`}} opsrecipe: falco-alert/ expr: increase(falco_events{priority="6"}[10m] ) > 0 labels: @@ -62,8 +62,8 @@ spec: - alert: FalcoXZBackdoorAlert annotations: description: |- - {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.node }}. - {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.node }}.{{ end }}`}} + {{`{{ if eq $labels.k8s_pod_name "" }}The Falco rule {{ $labels.rule }} was triggered on the node {{ $labels.hostname }}. + {{else}}Pod {{ $labels.k8s_ns_name }}/{{ $labels.k8s_pod_name }} triggered the Falco rule {{ $labels.rule }} on the node {{ $labels.hostname }}.{{ end }}`}} opsrecipe: falco-alert/ expr: falco_events{rule="Backdoored library loaded into SSHD (CVE-2024-3094)"} > 0 labels: