From b8176a5fbceeae1b214067ff2aa3b90a117de1eb Mon Sep 17 00:00:00 2001
From: Aldo Lacuku <aldo@lacuku.eu>
Date: Fri, 12 Jan 2024 12:49:56 +0100
Subject: [PATCH] update(falco/tests): use falco with k8saudit plugin for
 testing

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
---
 tests/falco-test-ci.yaml | 63 +++++++++++++++++++++++++++++++---------
 1 file changed, 50 insertions(+), 13 deletions(-)

diff --git a/tests/falco-test-ci.yaml b/tests/falco-test-ci.yaml
index db2c7ad80..dfc9e48aa 100644
--- a/tests/falco-test-ci.yaml
+++ b/tests/falco-test-ci.yaml
@@ -1,19 +1,56 @@
 # CI values for Falco.
 # To deploy Falco on CI we need to set an argument to bypass the installation
 # of the kernel module, so we bypass that.
-extra:
-  args:
-  - --userspace
-
-falco:
-  grpc:
-    enabled: true
-  grpc_output:
-    enabled: true
-
+# -- Disable the drivers since we want to deploy only the k8saudit plugin.
 driver:
   enabled: false
 
-# enforce /proc mounting since Falco still tries to scan it
-mounts:
-  enforceProcMount: true
+# -- Disable the collectors, no syscall events to enrich with metadata.
+collectors:
+  enabled: false
+
+falcoctl:
+  artifact:
+    install:
+      # -- Enable the init container.
+      enabled: true
+    follow:
+      # -- Enable the sidecar container.
+      enabled: true
+  config:
+    artifact:
+      install:
+        # -- Resolve the dependencies for artifacts.
+        resolveDeps: true
+        # -- List of artifacts to be installed by the falcoctl init container.
+        refs: [k8saudit-rules:0.6]
+      follow:
+        # -- List of artifacts to be followed by the falcoctl sidecar container.
+        refs: [k8saudit-rules:0.6]
+
+services:
+  - name: k8saudit-webhook
+    type: NodePort
+    ports:
+      - port: 9765 # See plugin open_params
+        nodePort: 30007
+        protocol: TCP
+
+falco:
+  rules_file:
+    - /etc/falco/k8s_audit_rules.yaml
+    - /etc/falco/rules.d
+  plugins:
+    - name: k8saudit
+      library_path: libk8saudit.so
+      init_config:
+        ""
+        # maxEventBytes: 1048576
+      # sslCertificate: /etc/falco/falco.pem
+      open_params: "http://:9765/k8s-audit"
+    - name: json
+      library_path: libjson.so
+      init_config: ""
+  # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container.
+  load_plugins: [k8saudit, json]
+