- minor security enhancements in helm chart (#24)

- minor best-practices/linting (E.g. using select{} instead of a ifinite loop with sleep, using log.Print vs fmt.Print, formatted the imports, etc.)
- minor readme changes (linting for links and header sizes, removal/change for dead link(s), and addition of some other log collectors like Promtail and Logstash)
- bump go to 1.20 to pull in some security fixes
- bump k8s.io deps to v0.24.15 (note that this version is about to become non-maintained, but still is for now)

Author: nathanmcgarvey-modopayments

README.md

@@ -2,9 +2,9 @@
 
 <img src="https://raw.githubusercontent.com/max-rocket-internet/k8s-event-logger/master/img/k8s-logo.png" width="100">
 
-This tool simply watches Kubernetes Events and logs them to stdout in JSON to be collected and stored by your logging solution, e.g. [fluentd](https://github.com/fluent/fluentd-kubernetes-daemonset) or [fluent-bit](https://fluentbit.io/). Other tools exist for persisting Kubernetes Events, such as Sysdig, Datadog or Google's [event-exporter](https://github.com/GoogleCloudPlatform/k8s-stackdriver/tree/master/event-exporter) but this tool is open and will work with any logging solution.
+This tool simply watches Kubernetes Events and logs them to stdout in JSON to be collected and stored by your logging solution, e.g. [fluentd](https://github.com/fluent/fluentd-kubernetes-daemonset), [fluent-bit](https://fluentbit.io/), [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html), or [Promtail](https://grafana.com/docs/loki/latest/clients/promtail/). Other tools exist for persisting Kubernetes Events, such as Sysdig, Datadog, or Google's [event-exporter](https://github.com/GoogleCloudPlatform/k8s-stackdriver/tree/master/event-exporter) but this tool is open and will work with any logging solution.
 
-### Why?
+## Why?
 
 Events in Kubernetes log very important information. If are trying to understand what happened in the past then these events show clearly what your Kubernetes cluster was thinking and doing. Some examples:
 
@@ -17,7 +17,7 @@ The problem is that these events are simply API objects in Kubernetes and are on
 
 Example of events:
 
-```
+```text
 39m   Normal  UpdatedLoadBalancer      Service     Updated load balancer with new hosts
 40m   Normal  SuccessfulDelete         DaemonSet   Deleted pod: ingress02-nginx-ingress-controller-vqqjp
 41m   Normal  ScaleDown                Node        node removed by cluster autoscaler
@@ -30,40 +30,46 @@ Example of events:
 58m   Normal  CREATE                   ConfigMap   ConfigMap default/ingress02-nginx-ingress-controller
 ```
 
-### Installation
+## Installation
 
 Use the [Helm](https://helm.sh/) chart from this repo:
 
-```
+```sh
 helm install chart/
 ```
 
 Or use the chart from [deliveryhero/helm-charts/stable/k8s-event-logger](https://github.com/deliveryhero/helm-charts/tree/master/stable/k8s-event-logger):
 
-```
+```sh
 helm repo add deliveryhero https://charts.deliveryhero.io/
 helm install deliveryhero/k8s-event-logger
 ```
 
-Or use the docker image [maxrocketinternet/k8s-event-logger](https://hub.docker.com/r/maxrocketinternet/k8s-event-logger)
+Or use the pre-built image [maxrocketinternet/k8s-event-logger][pre-built image]
 
-#### Building a container image
+### Building a container image
 
-If you're unable to use the [prebuilt][image] docker image, you can build it yourself:
+If you're unable to use the [pre-built image], you can build it yourself:
 
 ```sh
-make IMG=maxrocketinternet/k8s-event-logger TAG=latest
+make all IMG=<your-container-registry>/k8s-event-logger TAG=latest
 ```
 
-This uses `docker buildx` to create a [multi-platform image][]. To set up your build host system to be able to build these images, see [this guide][qemu-binfmt].
+This uses `docker buildx` to create a [multi-platform image]. To set up your build host system to be able to build these images, see [this guide][multi-platform image] or `make all` and review the Makefile for what it does.
 
 [multi-platform image]: https://docs.docker.com/build/building/multi-platform/
-[qemu-binfmt]: https://docs.nvidia.com/datacenter/cloud-native/playground/x-arch.html
+[pre-built image]: https://hub.docker.com/r/maxrocketinternet/k8s-event-logger
 
-### Testing
+Or to just build locally for testing without multi-arch support (but also doesn't require a registry):
+
+```sh
+docker build --tag localhost/k8s-event-logger .
+```
+
+## Testing
 
 Run it:
 
-```
+```sh
 go run main.go
 ```

chart/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
-appVersion: "1.8"
-version: "1.1.3"
+appVersion: "1.9"
+version: "1.2.0"
 description: A tool to log k8s events to stdout in JSON
 home: https://github.com/max-rocket-internet/k8s-event-logger
 name: k8s-event-logger
@@ -14,6 +14,6 @@ icon: https://github.com/kubernetes/kubernetes/raw/master/logo/logo.png
 keywords:
 - events
 - logging
-- Auditing
+- auditing
 sources:
 - https://github.com/max-rocket-internet/k8s-event-logger

chart/README.md

@@ -1,8 +1,8 @@
 # k8s-event-logger
 
-This chart runs a pod that simply watches Kubernetes Events and logs them to stdout in JSON to be collected and stored by your logging solution, e.g. [fluentd](https://github.com/helm/charts/tree/master/stable/fluentd) or [fluent-bit](https://github.com/helm/charts/tree/master/stable/fluent-bit).
+This chart runs a pod that simply watches Kubernetes Events and logs them to stdout in JSON to be collected and stored by your logging solution, e.g. [fluentd](https://github.com/fluent/fluentd-kubernetes-daemonset), [fluent-bit](https://fluentbit.io/), [Filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html), or [Promtail](https://grafana.com/docs/loki/latest/clients/promtail/). Other tools exist for persisting Kubernetes Events, such as Sysdig, Datadog, or Google's [event-exporter](https://github.com/GoogleCloudPlatform/k8s-stackdriver/tree/master/event-exporter) but this tool is open and will work with any logging solution.
 
-https://github.com/max-rocket-internet/k8s-event-logger
+[Source code](https://github.com/max-rocket-internet/k8s-event-logger)
 
 Events in Kubernetes log very important information. If are trying to understand what happened in the past then these events show clearly what your Kubernetes cluster was thinking and doing. Some examples:
 
@@ -15,22 +15,22 @@ The problem is that these events are simply API objects in Kubernetes and are on
 
 ## Prerequisites
 
-- Kubernetes 1.8+
+- Kubernetes 1.23+
 
 ## Installing the Chart
 
 To install the chart with the release name `my-release` and default configuration:
 
-```shell
-$ helm install --name my-release stable/k8s-event-logger
+```sh
+helm install --name my-release stable/k8s-event-logger
 ```
 
 ## Uninstalling the Chart
 
 To delete the chart:
 
-```shell
-$ helm delete my-release
+```sh
+helm delete my-release
 ```
 
 ## Configuration
@@ -56,6 +56,6 @@ The following table lists the configurable parameters for this chart and their d
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install` or provide a YAML file containing the values for the above parameters:
 
-```shell
-$ helm install --name my-release stable/k8s-event-logger --values values.yaml
+```sh
+helm install --name my-release stable/k8s-event-logger --values values.yaml
 ```

chart/templates/deployment.yaml

@@ -35,6 +35,14 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             runAsNonRoot: true
+            runAsUser: 10001
+            runAsGroup: 10001
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
           env:
 {{- range $key, $value := .Values.env }}
           - name: {{ $key }}

go.mod

@@ -1,18 +1,15 @@
 module github.com/max-rocket-internet/k8s-event-logger
 
-go 1.18
+go 1.20
 
 require (
-	k8s.io/api v0.24.1
-	k8s.io/apimachinery v0.24.1
-	k8s.io/client-go v0.24.1
+	k8s.io/api v0.24.15
+	k8s.io/apimachinery v0.24.15
+	k8s.io/client-go v0.24.15
 )
 
 require (
-	github.com/PuerkitoBio/purell v1.1.1 // indirect
-	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/emicklei/go-restful v2.15.0+incompatible // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
@@ -31,21 +28,22 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/net v0.0.0-20220607020251-c690dde0001d // indirect
+	golang.org/x/net v0.8.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb // indirect
-	golang.org/x/sys v0.0.0-20220608164250-635b8c9b7f68 // indirect
-	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/term v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.60.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220603121420-31174f50af60 // indirect
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9 // indirect
 	sigs.k8s.io/json v0.0.0-20220525155127-227cbc7cc124 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )