feat(falco-talon): Configure Talon pod to not rollout on configmap ch…

…anges, allow user to input rules.yaml directly, configure Talon to rollout on secret change, bump appVersion v0.2.0 Signed-off-by: Igor Eulalio <[email protected]> feat: trigger rollout based on secret change Signed-off-by: Igor Eulalio <[email protected]> feat: remove rules_override.yaml file, add field so users can specify custom rules directly via values Signed-off-by: Igor Eulalio <[email protected]> chore: bump chart version, update CHANGELOG.md and make docs Signed-off-by: Igor Eulalio <[email protected]> feat: allow users to specify custom service accounts for deployment Signed-off-by: Igor Eulalio <[email protected]> chore: modify changelog.md Signed-off-by: Igor Eulalio <[email protected]> chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](lycheeverse/lychee-action@7cd0af4...f81112d) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> feat: remove helm-generated labels and timestamp so that pod isn't recycled with a new update Signed-off-by: Igor Eulalio <[email protected]> feat: trigger rollout based on secret change Signed-off-by: Igor Eulalio <[email protected]> feat: remove rules_override.yaml file, add field so users can specify custom rules directly via values Signed-off-by: Igor Eulalio <[email protected]> chore: bump chart version, update CHANGELOG.md and make docs Signed-off-by: Igor Eulalio <[email protected]> feat: allow users to specify custom service accounts for deployment Signed-off-by: Igor Eulalio <[email protected]> chore: modify changelog.md Signed-off-by: Igor Eulalio <[email protected]> chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](lycheeverse/lychee-action@7cd0af4...f81112d) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> change the key for the rulesfiles range Signed-off-by: Thomas Labarussias <[email protected]> chore(falco/k8smeta): bump plugin version Signed-off-by: Aldo Lacuku <[email protected]> chore(falco/test): update unit tests to reflect changes in k8smeta tag Signed-off-by: Aldo Lacuku <[email protected]> chore(falco/k8smeta): bump chart version Signed-off-by: Aldo Lacuku <[email protected]> fix(falco/dashboard): make pod variable independent of triggered rules CPU and memory are now visible for each pod, even when no rules have been triggered for that falco instance. Signed-off-by: Aldo Lacuku <[email protected]> chore(falco): bump chart version Signed-off-by: Aldo Lacuku <[email protected]> chore(falco): apply suggestions Co-authored-by: Thomas Labarussias <[email protected]> Signed-off-by: Aldo Lacuku <[email protected]> fix(falco/readme): use rules_files instead of deprecated rules_file in config snippet Using rules_file causes collision with rules_files and falco does not start ``` Tue Nov 12 14:23:17 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form). Error: Error reading config file (/etc/falco/falco.yaml): both 'rules_files' and 'rules_file' keys set ``` Signed-off-by: Robin Landström <[email protected]> chore(falco): bump chart version Signed-off-by: Robin Landström <[email protected]> update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 Signed-off-by: Aldo Lacuku <[email protected]> chore: bump chart version Signed-off-by: Igor Eulalio <[email protected]> chore: update docs Signed-off-by: Igor Eulalio <[email protected]> chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](lycheeverse/lychee-action@7cd0af4...f81112d) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> change the key for the rulesfiles range Signed-off-by: Thomas Labarussias <[email protected]> chore(falco/k8smeta): bump plugin version Signed-off-by: Aldo Lacuku <[email protected]> chore(falco/test): update unit tests to reflect changes in k8smeta tag Signed-off-by: Aldo Lacuku <[email protected]> chore(falco/k8smeta): bump chart version Signed-off-by: Aldo Lacuku <[email protected]> fix(falco/dashboard): make pod variable independent of triggered rules CPU and memory are now visible for each pod, even when no rules have been triggered for that falco instance. Signed-off-by: Aldo Lacuku <[email protected]> chore(falco): bump chart version Signed-off-by: Aldo Lacuku <[email protected]> chore(falco): apply suggestions Co-authored-by: Thomas Labarussias <[email protected]> Signed-off-by: Aldo Lacuku <[email protected]> fix(falco/readme): use rules_files instead of deprecated rules_file in config snippet Using rules_file causes collision with rules_files and falco does not start ``` Tue Nov 12 14:23:17 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form). Error: Error reading config file (/etc/falco/falco.yaml): both 'rules_files' and 'rules_file' keys set ``` Signed-off-by: Robin Landström <[email protected]> chore(falco): bump chart version Signed-off-by: Robin Landström <[email protected]> update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 Signed-off-by: Aldo Lacuku <[email protected]> chore: bump appVersion to match talon version Signed-off-by: Igor Eulalio <[email protected]>
falcosecurity · Nov 26, 2024 · e338ee9 · e338ee9
1 parent b273725
commit e338ee9
Show file tree

Hide file tree

Showing 13 changed files with 58 additions and 39 deletions.
diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md
@@ -3,6 +3,11 @@
 This file documents all notable changes to Falco Talon Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## 0.2.0 - 2024-11-26
+- configure pod to not rollout on configmap change
+- configure pod to rollout on secret change
+- add config.rulesOverride allowing users to override config rules
+
 ## 0.1.3 - 2024-11-08
 
 - change the key for the range over the rules files
@@ -18,4 +23,4 @@ numbering uses [semantic versioning](http://semver.org).
 
 ## 0.1.0 - 2024-09-05
 
-- First release
+- First release
diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: 0.1.1
+appVersion: 0.2.0
 description: React to the events from Falco
 name: falco-talon
-version: 0.1.3
+version: 0.2.0
 keywords:
   - falco
   - monitoring
@@ -14,3 +14,5 @@ sources:
 maintainers:
   - name: Issif
     email: [email protected]
+  - name: IgorEulalio
+    email: [email protected]
diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md
@@ -58,7 +58,7 @@ helm delete falco-talon -n falco
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
+| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesOverride":"- action: Terminate Pod\n  actionner: kubernetes:terminate\n  parameters:\n    ignore_daemonsets: true\n    ignore_statefulsets: true\n    grace_period_seconds: 20\n","watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
 | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
 | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
 | config.aws.externalId | string | `""` | external id |
@@ -111,7 +111,6 @@ helm delete falco-talon -n falco
 | config.otel.metricsEnabled | bool | `false` | enable otel metrics |
 | config.otel.tracesEnabled | bool | `false` | enable otel traces |
 | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
-| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
 | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
@@ -134,7 +133,9 @@ helm delete falco-talon -n falco
 | podSecurityPolicy | object | `{"create":false}` | pod security policy |
 | podSecurityPolicy.create | bool | `false` | enable the creation of the PSP |
 | priorityClassName | string | `""` | priority class name |
-| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"statefulsets":["get","delete"]}` | rbac |
+| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"serviceAccount":{"create":true,"name":""},"statefulsets":["get","delete"]}` | rbac |
+| rbac.serviceAccount.create | bool | `true` | create the service account. If create is false, name is required |
+| rbac.serviceAccount.name | string | `""` | name of the service account |
 | replicaCount | int | `2` | number of running pods |
 | resources | object | `{}` | resources |
 | service | object | `{"annotations":{},"port":2803,"type":"ClusterIP"}` | service parameters |

diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml
@@ -6,12 +6,3 @@
   parameters:
     labels:
       analysis/status: "suspicious"
-
-- rule: Terminal shell in container 
-  match:
-    rules:
-      - Terminal shell in container
-    output_fields:
-      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
-  actions:
-    - action: Label Pod as Suspicious
diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml
diff --git a/charts/falco-talon/templates/_helpers.tpl b/charts/falco-talon/templates/_helpers.tpl
@@ -61,4 +61,13 @@ Return if ingress supports pathType.
 */}}
 {{- define "falco-talon.ingress.supportsPathType" -}}
   {{- or (eq (include "falco-talon.ingress.isStable" .) "true") (and (eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Validate if either serviceAccount create is set to true or serviceAccount name is passed
+*/}}
+{{- define "falco-talon.validateServiceAccount" -}}
+  {{- if and (not .Values.rbac.serviceAccount.create) (not .Values.rbac.serviceAccount.name) -}}
+  {{- fail ".Values.rbac.serviceAccount.create is set to false and .Values.rbac.serviceAccount.name is not provided or is provided as empty string." -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
@@ -6,7 +6,7 @@ metadata:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
   rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get $file }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+    {{ $.Files.Get "rules.yaml" | nindent 4 }}
+    {{- if .Values.config.rulesOverride }}
+    {{ .Values.config.rulesOverride | nindent 4 }}
+    {{- end }}
diff --git a/charts/falco-talon/templates/deployment.yaml b/charts/falco-talon/templates/deployment.yaml
@@ -15,12 +15,13 @@ spec:
   template:
     metadata:
       labels:
-      {{- include "falco-talon.labels" . | nindent 8 }}
-      {{- if .Values.podAnnotations }}
-        {{ toYaml .Values.podAnnotations | indent 8 }}
-      {{- end }}
+        app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.podAnnotations }}
+          {{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
       annotations:
-        timestamp: {{ now }}
+        secret-checksum: {{ (lookup "v1" "Secret" .Release.Namespace (include "falco-talon.name" . | cat "-config")).data | toJson | sha256sum }}
     spec:
       serviceAccountName: {{ include "falco-talon.name" . }}
       {{- if .Values.priorityClassName }}

diff --git a/charts/falco-talon/templates/rbac.yaml b/charts/falco-talon/templates/rbac.yaml
@@ -1,11 +1,14 @@
+{{- include "falco-talon.validateServiceAccount" . -}}
 ---
+{{- if .Values.rbac.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "falco-talon.name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -205,5 +208,9 @@ roleRef:
   name: {{ include "falco-talon.name" . }}
 subjects:
 - kind: ServiceAccount
+  {{- if .Values.rbac.serviceAccount.create }}
   name: {{ include "falco-talon.name" . }}
+  {{- else }}
+  name: {{ .Values.rbac.serviceAccount.name }}
+  {{- end }}
   namespace: {{ .Release.Namespace }}
diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
@@ -105,6 +105,11 @@ affinity: {}
 
 # -- rbac
 rbac:
+  serviceAccount:
+    # -- create the service account. If create is false, name is required
+    create: true
+    # -- name of the service account
+    name: ""
   namespaces: ["get", "delete"]
   pods: ["get", "update", "patch", "delete", "list"]
   podsEphemeralcontainers: ["patch", "create"]
@@ -141,11 +146,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -156,6 +156,15 @@ config:
   # -- print in stdout all received events, not only those which match a rule
   printAllEvents: false
 
+  # User-defined additional rules for rules_override.yaml
+  rulesOverride: |
+    - action: Terminate Pod
+      actionner: kubernetes:terminate
+      parameters:
+        ignore_daemonsets: true
+        ignore_statefulsets: true
+        grace_period_seconds: 20
+
   # -- open telemetry parameters
   otel:
     # -- enable otel traces

diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -1227,4 +1227,4 @@ Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error:
 
 ### Major Changes
 
-* Initial release of Sysdig Falco Helm Chart
+* Initial release of Sysdig Falco Helm Chart
diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml
@@ -25,4 +25,4 @@ dependencies:
   - name: k8s-metacollector
     version: 0.1.*
     repository: https://falcosecurity.github.io/charts
-    condition: collectors.kubernetes.enabled
+    condition: collectors.kubernetes.enabled
diff --git a/charts/falco/README.md b/charts/falco/README.md
@@ -799,4 +799,4 @@ The following table lists the main configurable parameters of the falco chart v4
 | serviceMonitor.tlsConfig | object | `{}` | tlsConfig specifies TLS (Transport Layer Security) configuration for secure communication when scraping metrics from a service. It allows you to define the details of the TLS connection, such as CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support TLS configuration for the metrics endpoint. |
 | services | string | `nil` | Network services configuration (scenario requirement) Add here your services to be deployed together with Falco. |
 | tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations to allow Falco to run on Kubernetes masters. |
-| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. |
+| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. |
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1227,4 +1227,4 @@ Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error:

		### Major Changes

		* Initial release of Sysdig Falco Helm Chart
		* Initial release of Sysdig Falco Helm Chart