[json plugin error] json.value[...] doesn't accept json pointer

[marco-zani]

Describe the bug

When loading rules, falco finds the rules file as invalid with the following error:

LOAD_ERR_COMPILE_OUTPUT (Error compiling output):
 ....
 has an invalid index argument not composed only by digits: /user/extraauthentication.kubernetes.io/pod-name

How to reproduce it

Install the helm chart of falco with this config file:

falcoctl:
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      install:
        resolveDeps: false
        refs: [falco-rules:0, k8saudit-rules:0.5]
      follow:
        refs: [falco-rules:0, k8saudit-rules:0.5]

falco:
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        ""
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
      open_params: ""
  load_plugins: [k8saudit, json]

And with this rule in k8s_audit_rules.local.yaml:

- list: getVerbs
  items: [list, get]

- rule: getFromPod
  desc: A pod tried to access resorces in the cluster
  condition: ka.verb in (getVerbs) and ka.user.name != admin
  output: "%json.value[/user/extra/authentication.kubernetes.io/pod-name]"
  priority: info
  source: k8s_audit

and feeding falco with this json:

{
    "kind": "Event",
    "apiVersion": "audit.k8s.io/v1",
    "level": "Metadata",
    "auditID": "4d80af72-c845-42c3-9159-97a97925fcac",
    "stage": "ResponseComplete",
    "requestURI": "/api/v1/namespaces/default/pods?limit=500",
    "verb": "list",
    "user": {
        "username": "system:serviceaccount:default:default",
        "uid": "ff7eb48d-d26c-4b11-9f18-e2b5e9be50ee",
        "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:default",
            "system:authenticated"
        ],
        "extra": {
            "authentication.kubernetes.io/pod-name": [
                "ubuntu-ubuntu"
            ],
            "authentication.kubernetes.io/pod-uid": [
                "7d49c124-be01-4f95-827e-de1125f05dc9"
            ]
        }
    },
    "sourceIPs": [
        "10.1.134.102"
    ],
    "userAgent": "kubectl/v1.27.4 (linux/amd64) kubernetes/fa3d799",
    "objectRef": {
        "resource": "pods",
        "namespace": "default",
        "apiVersion": "v1"
    },
    "responseStatus": {
        "metadata": {},
        "code": 200
    },
    "requestReceivedTimestamp": "2023-08-02T08:12:31.920374Z",
    "stageTimestamp": "2023-08-02T08:12:31.925808Z",
    "annotations": {
        "authorization.k8s.io/decision": "allow",
        "authorization.k8s.io/reason": ""
    }
}

Expected behaviour

Return in output: ubuntu-ubuntu

Environment

• Falco version:
  0.35.1
• System info:

Wed Aug  2 12:53:30 2023: Falco version: 0.35.1 (x86_64)
Wed Aug  2 12:53:30 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed Aug  2 12:53:30 2023: Loading plugin 'k8saudit' from file /usr/share/falco/plugins/libk8saudit.so
Wed Aug  2 12:53:30 2023: Loading plugin 'json' from file /usr/share/falco/plugins/libjson.so
Wed Aug  2 12:53:30 2023: Loading rules from file /etc/falco/falco_rules.yaml
Wed Aug  2 12:53:31 2023: Loading rules from file /etc/falco/local/falco_rules.local.yaml
Wed Aug  2 12:53:31 2023: Loading rules from file /etc/falco/k8s_audit_rules.yaml
{
  "machine": "x86_64",
  "nodename": "falco-vqvkp",
  "release": "5.15.0-76-generic",
  "sysname": "Linux",
  "version": "#83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023"
}

this output is missing k8s_audit_rules.local.yaml because I had to remove it to access the machine

• OS:

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

• Kernel:
  Linux falco-vqvkp 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 GNU/Linux
• Installation method:
  helm chart

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Andreagit97]

/remove-lifecycle rotten

[Andreagit97]

/reopen

[poiana]

@Andreagit97: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Andreagit97]

Sounds like a valid issue! I'm not sure it ever worked...we will take a look, thank you for reporting!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Andreagit97]

/remove-lifecycle rotten

/reopen

[poiana]

@Andreagit97: Reopened this issue.

In response to this:

/remove-lifecycle rotten

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale