Closed
Description
Describe the bug
It appears that the default docker image falcosecurity/falco-no-driver has issues with ca-certificates.
Wed Aug 10 15:09:39 2022: Configured rules filenames:
Wed Aug 10 15:09:39 2022: /etc/falco/aws_cloudtrail_rules.yaml
Wed Aug 10 15:09:39 2022: Loading rules from file /etc/falco/aws_cloudtrail_rules.yaml:
Wed Aug 10 15:09:39 2022: Watching /etc/falco/falco.yaml
Wed Aug 10 15:09:39 2022: Watching /etc/falco/aws_cloudtrail_rules.yaml.
Wed Aug 10 15:09:39 2022: Starting internal webserver, listening on port 8765
Wed Aug 10 15:09:39 2022: [libs]: starting live capture
Error: cloudtrail plugin error: failed to list objects: WebIdentityErr: failed to retrieve credentials
caused by: RequestError: send request failed
caused by: Post "https://sts.amazonaws.com/": x509: certificate signed by unknown authority
How to reproduce it
-
Ensure that IRSA is enabled, ie using
AWS_WEB_IDENTITY_TOKEN_FILE- this causes the aws sdk to make a call to https://sts.amazonaws.com -
Enable Cloudtrail plugin in values file and set an s3:// path in
open_params
Expected behaviour
IRSA - assume role should work as expected.
Screenshots
Environment
- Falco version: 0.32.1
- System info:
{
"machine": "x86_64",
"nodename": "falco-cloudtrail-osi83074-97479f49-7krwt",
"release": "5.4.181-99.354.amzn2.x86_64",
"sysname": "Linux",
"version": "#1 SMP Wed Mar 2 18:50:46 UTC 2022"
}
- Cloud provider or hardware configuration: AWS
- OS: amazonlinux2
- Kernel:
- Installation method:
Additional context
The falcosecurity/falco image works as expected.
Activity