k8saudit plugin not getting loaded inside pod, so no visibility of /var/log/kubernetes/audit.log file

[sankyhack]

I have running kube cluster and i need to monitor kubernetes API logs
i have audit policy which generates logs and i can see events in audit.log , with below policy i can see pods are running but somehow, k8saudit plugin in not getting loaded and so, it is not getting visibility of audit logs.
k8saudit.so file is present inside pod though

#################################

DRIVER

#################################
driver:
kind: modern_ebpf

#################################

FALCO CONFIG

#################################
falco:
json_output: true
json_include_output_property: true

###############################

ENABLE K8S AUDIT

###############################
k8sAudit:
enabled: true
auditLogPath: /var/log/kubernetes

###############################

Mount audit log from host

###############################
extraVolumes:
- name: k8s-audit
hostPath:
path: /var/log/kubernetes
type: Directory

extraVolumeMounts:
- name: k8s-audit
mountPath: /var/log/kubernetes
readOnly: true

#################################

CUSTOM API ATTACK RULES

#################################
customRules:
k8s_api_rules.yaml: |-
- rule: Kubernetes Pod Exec Detected
desc: Detect kubectl exec into pod
condition: >
ka.verb=create and
ka.target.resource=pods and
ka.target.subresource=exec
output: >
Kubernetes EXEC detected
user=%ka.user.name
namespace=%ka.target.namespace
pod=%ka.target.name
sourceIP=%ka.sourceIPs
priority: WARNING
source: k8s_audit
tags: [k8s, exec, attack]

  - rule: Kubernetes Secret Access
    desc: Detect secret enumeration
    condition: >
      ka.target.resource=secrets and
      (ka.verb=get or ka.verb=list)
    output: >
      Secret Access Detected
      user=%ka.user.name
      namespace=%ka.target.namespace
      secret=%ka.target.name
      sourceIP=%ka.sourceIPs
    priority: CRITICAL
    source: k8s_audit
    tags: [k8s, credential_access]

#################################

FALCOCTL (PLUGIN + RULE DOWNLOAD)

#################################
falcoctl:
config:
artifact:
install:
enabled: true
refs:
- ghcr.io/falcosecurity/plugins/plugin/k8saudit:latest
- ghcr.io/falcosecurity/rules/falco-rules:latest

  follow:
    enabled: true
    refs:
      - ghcr.io/falcosecurity/plugins/plugin/k8saudit:latest
      - ghcr.io/falcosecurity/rules/falco-rules:latest

#################################

FALCOSIDEKICK → ELASTICSEARCH

#################################
falcosidekick:
enabled: true

config:
elasticsearch:
hostport: "http://192.168.1.50:9200"
index: "Falco Alerts"

  username: "elastic"
  password: "password"

  minimumpriority: debug

Thanks,
sanky

[poiana]

There is not a label identifying the kind of this issue.
Please specify it either using /kind <group> or manually from the side menu.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.