rules.yaml

- action: Terminate Pod
  actionner: kubernetes:terminate
  parameters:
    grace_period_seconds: 5
    ignore_standalone_pods: true

- action: Disable outbound connections
  actionner: kubernetes:networkpolicy
  parameters:
    allow:
      - "192.168.1.0/24"
      - "172.17.0.0/16"

- action: Create cilium network policy
  actionner: cilium:networkpolicy
  parameters:
    allow_cidr:
      - "192.168.1.0/24"
      - "172.17.0.0/16"

- action: Label Pod as Suspicious
  description: "Add the label suspicious=true"
  actionner: kubernetes:label
  parameters:
    labels:
      suspicious: "true"

- action: Invoke Lambda function
  actionner: aws:lambda
  additional_contexts:
    - aws
  parameters:
    aws_lambda_name: sample-function
    aws_lambda_alias_or_version: $LATEST
    aws_lambda_invocation_type: RequestResponse

- action: Invoke GCP function
  actionner: gcp:function
  additional_contexts:
    - aws
  parameters:
    gcp_function_name: simple-http-function
    gcp_function_location: us-central1

- rule: Suspicious outbound connection
  description: "Label pods with suspicious outbound connections if not in the kube-system"
  match:
    rules:
      - Unexpected outbound connection destination
    output_fields:
      - k8s.ns.name!=kube-system
  actions:
    - action: Create cilium network policy

- rule: Terminal shell in container
  description: >
    Label the pod outside kube-system and falco namespaces if a shell is started inside
  match:
    rules:
      - Terminal shell in container
    output_fields:
      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
  actions:
    - action: Terminate Pod

# - rule: Test invoke lambda
#   match:
#      rules:
#        - Test invoke lambda
#   actions:
#      - action: Invoke Lambda function

# - rule: Test invoke GCP function
#   match:
#     rules:
#       - Test invoke GCP function
#   actions:
#     - action: Invoke GCP function

- rule: Delete unknown namespace
  match:
    rules:
      - K8s Namespace Created
    output_fields:
      - ka.target.namespace=todelete
  actions:
      - action: Delete the namespace
        actionner: kubernetes:delete
  
- rule: Calico netpol 
  match:
    rules:
      - Unexpected outbound connection destination
    output_fields:
      - k8s.ns.name!=kube-system
  actions:
    - action: Disable outbound connections
      parameters:
        allow_cidr:
          - "192.168.1.0/24"
          - "172.17.0.0/16"
        allow_namespaces:
          - "green-ns"
          - "blue-ns"
    - action: Create Calico netpol
      actionner: calico:networkpolicy
      parameters:
        order: 20
        allow_cidr:
          - "192.168.2.0/24"
        allow_namespaces:
          - "green-ns"

- rule: Test node drain
  match:
    rules:
      - Test node drain
  actions:
    - action: Cordon node
      actionner: kubernetes:cordon
    - action: Drain node
      actionner: kubernetes:drain
      parameters:
        force: true
        ignore_daemonsets: true
        ignore_statefulsets: true
        max_wait_period: 90

- rule: Delete namespace
  match:
    rules:
      - Test delete namespace
    output_fields:
      - ka.target.name=todelete
  actions:
    - action: Delete the resource
      actionner: kubernetes:delete

- rule: Test exec
  match:
    rules:
      - Test exec
    output_fields:
      - k8s.ns.name!=kube-system
  actions:
    - action: Test exec
      actionner: kubernetes:exec
      additional_contexts:
        - k8snode
      parameters:
        command: echo "${NODE_HOSTNAME}"

- rule: Test download
  match:
    rules:
      - Test download
  actions:
    - action: Test exec
      actionner: kubernetes:exec
      additional_contexts:
        - k8snode
      parameters:
        shell: /bin/sh
        command: uname -a
    - action: Test log
      actionner: kubernetes:log
      output:
        target: aws:s3
        parameters:
          bucket: falcosidekick-tests
          prefix: logs/
    - action: Test download
      actionner: kubernetes:download
      parameters:
        file: "${FD_NAME}"
      output:
        target: minio:s3
        parameters:
          bucket: falco-talon
          prefix: /files/

- rule: Test tcpdump
  match:
    rules:
      - Test tcpdump
  actions:
    - action: Test tcpdump
      actionner: kubernetes:tcpdump
      parameters:
        snaplen: 512
        duration: 5
      output:
        target: aws:s3
        parameters:
          bucket: falcosidekick-tests
          prefix: /tcpdump/
          region: us-east-1

- rule: Test sysdig
  match:
    rules:
      - Test sysdig
  actions:
    - action: Test sysdig
      actionner: kubernetes:sysdig
      parameters:
        duration: 5
        scope: pod
        buffer_size: 4096
      output:
        target: local:file
        parameters:
          destination: /tmp/

- rule: Test log
  match:
    rules:
      - Test log
  actions:
    - action: Test log
      actionner: kubernetes:log
      parameters:
        tail_lines: 1
      output:
        target: aws:s3
        parameters:
          bucket: falcosidekick-tests
          prefix: /logs/
          region: us-east-1