diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md index b5ed5f9da..e486a194c 100644 --- a/charts/falco-talon/CHANGELOG.md +++ b/charts/falco-talon/CHANGELOG.md @@ -3,6 +3,11 @@ This file documents all notable changes to Falco Talon Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## 0.2.0 - 2024-11-26 +- configure pod to not rollout on configmap change +- configure pod to rollout on secret change +- add config.rulesOverride allowing users to override config rules + ## 0.1.3 - 2024-11-08 - change the key for the range over the rules files @@ -18,4 +23,4 @@ numbering uses [semantic versioning](http://semver.org). ## 0.1.0 - 2024-09-05 -- First release +- First release \ No newline at end of file diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml index c6871d480..f7c94c3ca 100644 --- a/charts/falco-talon/Chart.yaml +++ b/charts/falco-talon/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: 0.1.1 +appVersion: 0.2.0 description: React to the events from Falco name: falco-talon -version: 0.1.3 +version: 0.2.0 keywords: - falco - monitoring @@ -14,3 +14,5 @@ sources: maintainers: - name: Issif email: issif+github@gadz.org + - name: IgorEulalio + email: igoreulalio.ie@gmail.com \ No newline at end of file diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md index 01350e7a9..0be85d5f9 100644 --- a/charts/falco-talon/README.md +++ b/charts/falco-talon/README.md @@ -58,7 +58,7 @@ helm delete falco-talon -n falco | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | affinity | -| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | +| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesOverride":"- action: Terminate Pod\n actionner: kubernetes:terminate\n parameters:\n ignore_daemonsets: true\n ignore_statefulsets: true\n grace_period_seconds: 20\n","watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws | | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) | | config.aws.externalId | string | `""` | external id | @@ -111,7 +111,6 @@ helm delete falco-talon -n falco | config.otel.metricsEnabled | bool | `false` | enable otel metrics | | config.otel.tracesEnabled | bool | `false` | enable otel traces | | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule | -| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map | | config.watchRules | bool | `true` | auto reload the rules when the files change | | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env | | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters | @@ -134,7 +133,9 @@ helm delete falco-talon -n falco | podSecurityPolicy | object | `{"create":false}` | pod security policy | | podSecurityPolicy.create | bool | `false` | enable the creation of the PSP | | priorityClassName | string | `""` | priority class name | -| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"statefulsets":["get","delete"]}` | rbac | +| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"serviceAccount":{"create":true,"name":""},"statefulsets":["get","delete"]}` | rbac | +| rbac.serviceAccount.create | bool | `true` | create the service account. If create is false, name is required | +| rbac.serviceAccount.name | string | `""` | name of the service account | | replicaCount | int | `2` | number of running pods | | resources | object | `{}` | resources | | service | object | `{"annotations":{},"port":2803,"type":"ClusterIP"}` | service parameters | diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml index dbc9f315c..56860a748 100644 --- a/charts/falco-talon/rules.yaml +++ b/charts/falco-talon/rules.yaml @@ -6,12 +6,3 @@ parameters: labels: analysis/status: "suspicious" - -- rule: Terminal shell in container - match: - rules: - - Terminal shell in container - output_fields: - - k8s.ns.name!=kube-system, k8s.ns.name!=falco - actions: - - action: Label Pod as Suspicious diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml deleted file mode 100644 index a75af42c4..000000000 --- a/charts/falco-talon/rules_override.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- action: Terminate Pod - actionner: kubernetes:terminate - parameters: - ignore_daemonsets: true - ignore_statefulsets: true - grace_period_seconds: 2 \ No newline at end of file diff --git a/charts/falco-talon/templates/_helpers.tpl b/charts/falco-talon/templates/_helpers.tpl index 70e9bb80e..a5c6c206a 100644 --- a/charts/falco-talon/templates/_helpers.tpl +++ b/charts/falco-talon/templates/_helpers.tpl @@ -61,4 +61,13 @@ Return if ingress supports pathType. */}} {{- define "falco-talon.ingress.supportsPathType" -}} {{- or (eq (include "falco-talon.ingress.isStable" .) "true") (and (eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Validate if either serviceAccount create is set to true or serviceAccount name is passed +*/}} +{{- define "falco-talon.validateServiceAccount" -}} + {{- if and (not .Values.rbac.serviceAccount.create) (not .Values.rbac.serviceAccount.name) -}} + {{- fail ".Values.rbac.serviceAccount.create is set to false and .Values.rbac.serviceAccount.name is not provided or is provided as empty string." -}} + {{- end -}} +{{- end -}} diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml index c9db3dd23..e7ff6d371 100644 --- a/charts/falco-talon/templates/configmap.yaml +++ b/charts/falco-talon/templates/configmap.yaml @@ -6,7 +6,7 @@ metadata: {{- include "falco-talon.labels" . | nindent 4 }} data: rules.yaml: |- -{{- range $file := .Values.config.rulesFiles -}} -{{ $fileContent := $.Files.Get $file }} -{{- $fileContent | nindent 4 -}} -{{- end -}} + {{ $.Files.Get "rules.yaml" | nindent 4 }} + {{- if .Values.config.rulesOverride }} + {{ .Values.config.rulesOverride | nindent 4 }} + {{- end }} diff --git a/charts/falco-talon/templates/deployment.yaml b/charts/falco-talon/templates/deployment.yaml index f4ac78912..862a882df 100644 --- a/charts/falco-talon/templates/deployment.yaml +++ b/charts/falco-talon/templates/deployment.yaml @@ -15,12 +15,13 @@ spec: template: metadata: labels: - {{- include "falco-talon.labels" . | nindent 8 }} - {{- if .Values.podAnnotations }} - {{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} + app.kubernetes.io/name: {{ include "falco-talon.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.podAnnotations }} + {{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} annotations: - timestamp: {{ now }} + secret-checksum: {{ (lookup "v1" "Secret" .Release.Namespace (include "falco-talon.name" . | cat "-config")).data | toJson | sha256sum }} spec: serviceAccountName: {{ include "falco-talon.name" . }} {{- if .Values.priorityClassName }} diff --git a/charts/falco-talon/templates/rbac.yaml b/charts/falco-talon/templates/rbac.yaml index 50080a124..bd45db505 100644 --- a/charts/falco-talon/templates/rbac.yaml +++ b/charts/falco-talon/templates/rbac.yaml @@ -1,4 +1,6 @@ +{{- include "falco-talon.validateServiceAccount" . -}} --- +{{- if .Values.rbac.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -6,6 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "falco-talon.labels" . | nindent 4 }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -205,5 +208,9 @@ roleRef: name: {{ include "falco-talon.name" . }} subjects: - kind: ServiceAccount + {{- if .Values.rbac.serviceAccount.create }} name: {{ include "falco-talon.name" . }} + {{- else }} + name: {{ .Values.rbac.serviceAccount.name }} + {{- end }} namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml index 380cba120..47ef1388a 100644 --- a/charts/falco-talon/values.yaml +++ b/charts/falco-talon/values.yaml @@ -105,6 +105,11 @@ affinity: {} # -- rbac rbac: + serviceAccount: + # -- create the service account. If create is false, name is required + create: true + # -- name of the service account + name: "" namespaces: ["get", "delete"] pods: ["get", "update", "patch", "delete", "list"] podsEphemeralcontainers: ["patch", "create"] @@ -141,11 +146,6 @@ config: # -- auto reload the rules when the files change watchRules: true - # -- list of locale rules to load, they will be concatenated into a single config map - rulesFiles: - - rules.yaml - - rules_override.yaml - # -- deduplication of the Falco events deduplication: # -- enable the leader election for cluster mode @@ -156,6 +156,15 @@ config: # -- print in stdout all received events, not only those which match a rule printAllEvents: false + # User-defined additional rules for rules_override.yaml + rulesOverride: | + - action: Terminate Pod + actionner: kubernetes:terminate + parameters: + ignore_daemonsets: true + ignore_statefulsets: true + grace_period_seconds: 20 + # -- open telemetry parameters otel: # -- enable otel traces diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index a75f149f4..41d05e67a 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -1227,4 +1227,4 @@ Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error: ### Major Changes -* Initial release of Sysdig Falco Helm Chart +* Initial release of Sysdig Falco Helm Chart \ No newline at end of file diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 0582008d2..400169081 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -25,4 +25,4 @@ dependencies: - name: k8s-metacollector version: 0.1.* repository: https://falcosecurity.github.io/charts - condition: collectors.kubernetes.enabled + condition: collectors.kubernetes.enabled \ No newline at end of file diff --git a/charts/falco/README.md b/charts/falco/README.md index 2a18dce99..82dddb7ac 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -799,4 +799,4 @@ The following table lists the main configurable parameters of the falco chart v4 | serviceMonitor.tlsConfig | object | `{}` | tlsConfig specifies TLS (Transport Layer Security) configuration for secure communication when scraping metrics from a service. It allows you to define the details of the TLS connection, such as CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support TLS configuration for the metrics endpoint. | | services | string | `nil` | Network services configuration (scenario requirement) Add here your services to be deployed together with Falco. | | tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations to allow Falco to run on Kubernetes masters. | -| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. | +| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. | \ No newline at end of file