Skip to content

k8s_api_server macro not working in falco 0.43.0(fd.sip.name issue) #3834

Open
Open
k8s_api_server macro not working in falco 0.43.0(fd.sip.name issue)#3834
Labels
kind/bug
@skleeolive

Description

@skleeolive
skleeolive
opened on Mar 24, 2026

Describe the bug

Unexpected connection to K8s API Server from container rule not working on falco 0.43.0(amd64 version)
If I downgraded to the falco version 0.40.0, it worked

It seems that k8s_api_server macro not working properly in 0.43.0

- macro: k8s_api_server
  condition: (fd.sip.name="kubernetes.default.svc.cluster.local")

If I override the k8s_api_server macro as following with ip of endpointslices for kubernetes service it worked.

    - macro: k8s_api_server
      condition: >
        (fd.sip.name="kubernetes.default.svc.cluster.local" or
         fd.sip="10.0.1.254")
      override:
        condition: replace

My configuration of kubernetes service and matching endpoints are as follows.

% kubectl get svc
NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   198.19.128.1   <none>        443/TCP   75d
% kubectl get endpointslices
NAME         ADDRESSTYPE   PORTS   ENDPOINTS    AGE
kubernetes   IPv4          443     10.0.1.254   75d

How to reproduce it

On kuberentes cluster where falco 0.43.0 is installed

  1. create falco-test namespace and
apiVersion: v1
kind: ServiceAccount
metadata:
  name: falco-test-sa
  namespace: falco-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: falco-test-view
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: view
subjects:
  - kind: ServiceAccount
    name: falco-test-sa
    namespace: falco-test
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubectl-test
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kubectl-test
  template:
    metadata:
      labels:
        app: kubectl-test
    spec:
      serviceAccountName: kubectl-sa
      containers:
      - name: kubectl
        image: bitnami/kubectl:latest
        command:
        - sleep
        - infinity
  1. Run kubectl get pod, and trigger k8s api call
% kubectl exec -n falco-test -it deploy/kubectl-test -- kubectl get pods
NAME                            READY   STATUS    RESTARTS   AGE
falco-test                      1/1     Running   0          43h
kubectl-test-6f9465c4b7-xl5qk   1/1     Running   0          2m25s
  1. Check falco logs if k8s api event triggered.
    In 0.43.0 no event triggered.

In 0.40.0 following event triggered.

{"hostname":"<redacted>","output":"02:11:58.895603805: Notice Unexpected connection to K8s API Server from container (connection=198.18.3.61:35432->10.0.1.254:443 lport=35432 rport=443 fd_type=ipv4 fd_proto=tcp evt_type=connect user=<NA> user_uid=1001 user_loginuid=-1 process=kubectl proc_exepath=/opt/bitnami/kubectl/bin/kubectl parent=bash command=kubectl get pod terminal=34816 container_id=97ce665637e3 container_image=docker.io/bitnami/kubectl container_image_tag=latest container_name=kubectl k8s_ns=falco-test k8s_pod_name=kubectl-test-6f9465c4b7-xl5qk)","output_fields":{"container.id":"97ce665637e3","container.image.repository":"docker.io/bitnami/kubectl","container.image.tag":"latest","container.name":"kubectl","evt.time":1774318318895603805,"evt.type":"connect","fd.l4proto":"tcp","fd.lport":35432,"fd.name":"198.18.3.61:35432->10.0.1.254:443","fd.rport":443,"fd.type":"ipv4","k8s.ns.name":"falco-test","k8s.pod.name":"kubectl-test-6f9465c4b7-xl5qk","proc.cmdline":"kubectl get pod","proc.exepath":"/opt/bitnami/kubectl/bin/kubectl","proc.name":"kubectl","proc.pname":"bash","proc.tty":34816,"user.loginuid":-1,"user.name":"<NA>","user.uid":1001},"priority":"Notice","rule":"Contact K8S API Server From Container","source":"syscall","tags":["T1565","container","k8s","maturity_stable","mitre_discovery","network"],"time":"2026-03-24T02:11:58.895603805Z"}

Environment

  • Falco version:
# falco --version
Tue Mar 24 01:14:14 2026: Falco version: 0.43.0 (x86_64)
Tue Mar 24 01:14:14 2026: Falco initialized with configuration files:
Tue Mar 24 01:14:14 2026:    /etc/falco/falco.yaml | schema validation: ok
Tue Mar 24 01:14:14 2026: System info: Linux version 6.8.0-52-generic (buildd@lcy02-amd64-046) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025
{"default_driver_version":"9.1.0+driver","driver_api_version":"8.0.0","driver_schema_version":"4.1.0","engine_version":"58","engine_version_semver":"0.58.0","falco_version":"0.43.0","libs_version":"0.23.1","plugin_api_version":"3.12.0"}
  • System info:
{
  "machine": "x86_64",
  "nodename": falco-8822p,
  "release": "6.8.0-52-generic",
  "sysname": "Linux",
  "version": "#53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025"
}
  • Cloud provider or hardware configuration: Naver Cloud, Republic of Korea.
  • OS: Ubuntu 24.04
  • Kernel:
Linux falco-8822p 6.8.0-52-generic #53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025 x86_64
  • Installation method:
    Kubernetes, using Helm

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bug

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions