diff --git a/KubeArmor/config/config.go b/KubeArmor/config/config.go index b774c29ccf..caef760cf4 100644 --- a/KubeArmor/config/config.go +++ b/KubeArmor/config/config.go @@ -153,7 +153,7 @@ func readCmdLineParams() { stateAgent := flag.Bool(ConfigStateAgent, false, "enabling KubeArmor State Agent client") - alertThrottling := flag.Bool(ConfigAlertThrottling, false, "enabling Alert Throttling") + alertThrottling := flag.Bool(ConfigAlertThrottling, true, "enabling Alert Throttling") maxAlertPerSec := flag.Int(ConfigMaxAlertPerSec, 10, "Maximum alerts allowed per second") diff --git a/KubeArmor/monitor/systemMonitor.go b/KubeArmor/monitor/systemMonitor.go index a144ff0c3a..d2f0686457 100644 --- a/KubeArmor/monitor/systemMonitor.go +++ b/KubeArmor/monitor/systemMonitor.go @@ -293,6 +293,10 @@ func (mon *SystemMonitor) UpdateThrottlingConfig() { if err := mon.BpfConfigMap.Update(uint32(5), uint32(cfg.GlobalCfg.ThrottleSec), cle.UpdateAny); err != nil { mon.Logger.Errf("Error Updating System Monitor Config Map to set time interval for dropping subsequent alerts : %s", err.Error()) } + mon.Logger.Printf("Alert Throttling configured {alertThrottling:%v, maxAlertPerSec:%v, throttleSec:%v}", + cfg.GlobalCfg.AlertThrottling, + cfg.GlobalCfg.MaxAlertPerSec, + cfg.GlobalCfg.ThrottleSec) } // UpdateNsKeyMap Function diff --git a/KubeArmor/packaging/kubearmor.yaml b/KubeArmor/packaging/kubearmor.yaml index 3ba2d3a107..14447ff03b 100644 --- a/KubeArmor/packaging/kubearmor.yaml +++ b/KubeArmor/packaging/kubearmor.yaml @@ -4,3 +4,6 @@ hostVisibility: "process,file,network,capabilities" enableKubeArmorHostPolicy: true enableKubeArmorVm: false k8s: false +alertThrottling: true +maxAlertPerSec: 10 +throttleSec: 30 diff --git a/deployments/get/objects.go b/deployments/get/objects.go index c7c5a44b2e..6a06faf670 100644 --- a/deployments/get/objects.go +++ b/deployments/get/objects.go @@ -972,6 +972,9 @@ func GetKubearmorConfigMap(namespace, name string) *corev1.ConfigMap { data[cfg.ConfigDefaultCapabilitiesPosture] = "audit" data[cfg.ConfigDefaultNetworkPosture] = "audit" data[cfg.ConfigDefaultPostureLogs] = "true" + data[cfg.ConfigAlertThrottling] = "true" + data[cfg.ConfigMaxAlertPerSec] = "10" + data[cfg.ConfigThrottleSec] = "30" return &corev1.ConfigMap{ TypeMeta: metav1.TypeMeta{ diff --git a/deployments/helm/KubeArmor/values.yaml b/deployments/helm/KubeArmor/values.yaml index e9f75c5fb0..1ee45d5cdf 100644 --- a/deployments/helm/KubeArmor/values.yaml +++ b/deployments/helm/KubeArmor/values.yaml @@ -94,7 +94,7 @@ kubearmorConfigMap: defaultCapabilitiesPosture: audit defaultNetworkPosture: audit visibility: process,network - alertThrottling: false + alertThrottling: true maxAlertPerSec: 10 throttleSec: 30 diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml index a6efab57b6..8c5643d840 100644 --- a/deployments/helm/KubeArmorOperator/values.yaml +++ b/deployments/helm/KubeArmorOperator/values.yaml @@ -47,7 +47,7 @@ kubearmorConfig: enableStdOutAlerts: false enableStdOutMsgs: false seccompEnabled: true - alertThrottling: false + alertThrottling: true maxAlertPerSec: 10 throttleSec: 30 diff --git a/getting-started/alert_throttling.md b/getting-started/alert_throttling.md index ec0cb81a91..b924620ab8 100644 --- a/getting-started/alert_throttling.md +++ b/getting-started/alert_throttling.md @@ -10,7 +10,7 @@ Throttling conditions can be configured through the config map, `kubearmor-confi Three configurable conditions for throttling are: -1. enabling alert throttling, by default alert throttling will not be available. In order to enable throttling we need to set `alertThrottling` to `true`. +1. enabling/disabling alert throttling, by default alert throttling will be enabled. In order to disable throttling we need to set `alertThrottling` to `false`. 2. set the threshold frequency for the alerts generated, by default it is set to `10` alerts(after enabling throttling), which means 10 alerts would be allowed to be generated per second. After the threshold frequency is crossed an alert will be generated which will notify that threshold frequency is crossed and for next few seconds we will not recieve alerts for this container. In order to set threshold frequency we need to set `maxAlertPerSec` to an int value, which decribes the number of maximum alerts that could be generated per sec. diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index d77f44842e..bcf157747c 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -129,7 +129,7 @@ var ConfigMapData = map[string]string{ ConfigDefaultNetworkPosture: "audit", ConfigVisibility: "process,network,capabilities", ConfigDefaultPostureLogs: "true", - ConfigAlertThrottling: "false", + ConfigAlertThrottling: "true", ConfigMaxAlertPerSec: "10", ConfigThrottleSec: "30", } diff --git a/pkg/KubeArmorOperator/config/samples/sample-config.yml b/pkg/KubeArmorOperator/config/samples/sample-config.yml index 93bfce1e3e..0276db3b69 100644 --- a/pkg/KubeArmorOperator/config/samples/sample-config.yml +++ b/pkg/KubeArmorOperator/config/samples/sample-config.yml @@ -18,7 +18,7 @@ spec: enableStdOutAlerts: false enableStdOutMsgs: false seccompEnabled: false - alertThrottling: false + alertThrottling: true maxAlertPerSec: 10 throttleSec: 30 kubearmorImage: