From e338ee9b8e652e04175a38b4bc2d43dc7b1b90b5 Mon Sep 17 00:00:00 2001 From: Igor Eulalio Date: Wed, 6 Nov 2024 21:28:41 +0100 Subject: [PATCH] feat(falco-talon): Configure Talon pod to not rollout on configmap changes, allow user to input rules.yaml directly, configure Talon to rollout on secret change, bump appVersion v0.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Igor Eulalio feat: trigger rollout based on secret change Signed-off-by: Igor Eulalio feat: remove rules_override.yaml file, add field so users can specify custom rules directly via values Signed-off-by: Igor Eulalio chore: bump chart version, update CHANGELOG.md and make docs Signed-off-by: Igor Eulalio feat: allow users to specify custom service accounts for deployment Signed-off-by: Igor Eulalio chore: modify changelog.md Signed-off-by: Igor Eulalio chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/7cd0af4c74a61395d455af97419279d86aafaede...f81112d0d2814ded911bd23e3beaa9dda9093915) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] feat: remove helm-generated labels and timestamp so that pod isn't recycled with a new update Signed-off-by: Igor Eulalio feat: trigger rollout based on secret change Signed-off-by: Igor Eulalio feat: remove rules_override.yaml file, add field so users can specify custom rules directly via values Signed-off-by: Igor Eulalio chore: bump chart version, update CHANGELOG.md and make docs Signed-off-by: Igor Eulalio feat: allow users to specify custom service accounts for deployment Signed-off-by: Igor Eulalio chore: modify changelog.md Signed-off-by: Igor Eulalio chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/7cd0af4c74a61395d455af97419279d86aafaede...f81112d0d2814ded911bd23e3beaa9dda9093915) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] change the key for the rulesfiles range Signed-off-by: Thomas Labarussias chore(falco/k8smeta): bump plugin version Signed-off-by: Aldo Lacuku chore(falco/test): update unit tests to reflect changes in k8smeta tag Signed-off-by: Aldo Lacuku chore(falco/k8smeta): bump chart version Signed-off-by: Aldo Lacuku fix(falco/dashboard): make pod variable independent of triggered rules CPU and memory are now visible for each pod, even when no rules have been triggered for that falco instance. Signed-off-by: Aldo Lacuku chore(falco): bump chart version Signed-off-by: Aldo Lacuku chore(falco): apply suggestions Co-authored-by: Thomas Labarussias Signed-off-by: Aldo Lacuku fix(falco/readme): use rules_files instead of deprecated rules_file in config snippet Using rules_file causes collision with rules_files and falco does not start ``` Tue Nov 12 14:23:17 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form). Error: Error reading config file (/etc/falco/falco.yaml): both 'rules_files' and 'rules_file' keys set ``` Signed-off-by: Robin Landström chore(falco): bump chart version Signed-off-by: Robin Landström update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 Signed-off-by: Aldo Lacuku chore: bump chart version Signed-off-by: Igor Eulalio chore: update docs Signed-off-by: Igor Eulalio chore(deps): Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.2 to 2.1.0. - [Release notes](https://github.com/lycheeverse/lychee-action/releases) - [Commits](https://github.com/lycheeverse/lychee-action/compare/7cd0af4c74a61395d455af97419279d86aafaede...f81112d0d2814ded911bd23e3beaa9dda9093915) --- updated-dependencies: - dependency-name: lycheeverse/lychee-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] change the key for the rulesfiles range Signed-off-by: Thomas Labarussias chore(falco/k8smeta): bump plugin version Signed-off-by: Aldo Lacuku chore(falco/test): update unit tests to reflect changes in k8smeta tag Signed-off-by: Aldo Lacuku chore(falco/k8smeta): bump chart version Signed-off-by: Aldo Lacuku fix(falco/dashboard): make pod variable independent of triggered rules CPU and memory are now visible for each pod, even when no rules have been triggered for that falco instance. Signed-off-by: Aldo Lacuku chore(falco): bump chart version Signed-off-by: Aldo Lacuku chore(falco): apply suggestions Co-authored-by: Thomas Labarussias Signed-off-by: Aldo Lacuku fix(falco/readme): use rules_files instead of deprecated rules_file in config snippet Using rules_file causes collision with rules_files and falco does not start ``` Tue Nov 12 14:23:17 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form). Error: Error reading config file (/etc/falco/falco.yaml): both 'rules_files' and 'rules_file' keys set ``` Signed-off-by: Robin Landström chore(falco): bump chart version Signed-off-by: Robin Landström update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 Signed-off-by: Aldo Lacuku chore: bump appVersion to match talon version Signed-off-by: Igor Eulalio --- charts/falco-talon/CHANGELOG.md | 7 ++++++- charts/falco-talon/Chart.yaml | 6 ++++-- charts/falco-talon/README.md | 7 ++++--- charts/falco-talon/rules.yaml | 9 --------- charts/falco-talon/rules_override.yaml | 6 ------ charts/falco-talon/templates/_helpers.tpl | 11 ++++++++++- charts/falco-talon/templates/configmap.yaml | 8 ++++---- charts/falco-talon/templates/deployment.yaml | 11 ++++++----- charts/falco-talon/templates/rbac.yaml | 7 +++++++ charts/falco-talon/values.yaml | 19 ++++++++++++++----- charts/falco/CHANGELOG.md | 2 +- charts/falco/Chart.yaml | 2 +- charts/falco/README.md | 2 +- 13 files changed, 58 insertions(+), 39 deletions(-) delete mode 100644 charts/falco-talon/rules_override.yaml diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md index b5ed5f9da..e486a194c 100644 --- a/charts/falco-talon/CHANGELOG.md +++ b/charts/falco-talon/CHANGELOG.md @@ -3,6 +3,11 @@ This file documents all notable changes to Falco Talon Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## 0.2.0 - 2024-11-26 +- configure pod to not rollout on configmap change +- configure pod to rollout on secret change +- add config.rulesOverride allowing users to override config rules + ## 0.1.3 - 2024-11-08 - change the key for the range over the rules files @@ -18,4 +23,4 @@ numbering uses [semantic versioning](http://semver.org). ## 0.1.0 - 2024-09-05 -- First release +- First release \ No newline at end of file diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml index c6871d480..f7c94c3ca 100644 --- a/charts/falco-talon/Chart.yaml +++ b/charts/falco-talon/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: 0.1.1 +appVersion: 0.2.0 description: React to the events from Falco name: falco-talon -version: 0.1.3 +version: 0.2.0 keywords: - falco - monitoring @@ -14,3 +14,5 @@ sources: maintainers: - name: Issif email: issif+github@gadz.org + - name: IgorEulalio + email: igoreulalio.ie@gmail.com \ No newline at end of file diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md index 01350e7a9..0be85d5f9 100644 --- a/charts/falco-talon/README.md +++ b/charts/falco-talon/README.md @@ -58,7 +58,7 @@ helm delete falco-talon -n falco | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | affinity | -| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | +| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesOverride":"- action: Terminate Pod\n actionner: kubernetes:terminate\n parameters:\n ignore_daemonsets: true\n ignore_statefulsets: true\n grace_period_seconds: 20\n","watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws | | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) | | config.aws.externalId | string | `""` | external id | @@ -111,7 +111,6 @@ helm delete falco-talon -n falco | config.otel.metricsEnabled | bool | `false` | enable otel metrics | | config.otel.tracesEnabled | bool | `false` | enable otel traces | | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule | -| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map | | config.watchRules | bool | `true` | auto reload the rules when the files change | | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env | | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters | @@ -134,7 +133,9 @@ helm delete falco-talon -n falco | podSecurityPolicy | object | `{"create":false}` | pod security policy | | podSecurityPolicy.create | bool | `false` | enable the creation of the PSP | | priorityClassName | string | `""` | priority class name | -| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"statefulsets":["get","delete"]}` | rbac | +| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"serviceAccount":{"create":true,"name":""},"statefulsets":["get","delete"]}` | rbac | +| rbac.serviceAccount.create | bool | `true` | create the service account. If create is false, name is required | +| rbac.serviceAccount.name | string | `""` | name of the service account | | replicaCount | int | `2` | number of running pods | | resources | object | `{}` | resources | | service | object | `{"annotations":{},"port":2803,"type":"ClusterIP"}` | service parameters | diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml index dbc9f315c..56860a748 100644 --- a/charts/falco-talon/rules.yaml +++ b/charts/falco-talon/rules.yaml @@ -6,12 +6,3 @@ parameters: labels: analysis/status: "suspicious" - -- rule: Terminal shell in container - match: - rules: - - Terminal shell in container - output_fields: - - k8s.ns.name!=kube-system, k8s.ns.name!=falco - actions: - - action: Label Pod as Suspicious diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml deleted file mode 100644 index a75af42c4..000000000 --- a/charts/falco-talon/rules_override.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- action: Terminate Pod - actionner: kubernetes:terminate - parameters: - ignore_daemonsets: true - ignore_statefulsets: true - grace_period_seconds: 2 \ No newline at end of file diff --git a/charts/falco-talon/templates/_helpers.tpl b/charts/falco-talon/templates/_helpers.tpl index 70e9bb80e..a5c6c206a 100644 --- a/charts/falco-talon/templates/_helpers.tpl +++ b/charts/falco-talon/templates/_helpers.tpl @@ -61,4 +61,13 @@ Return if ingress supports pathType. */}} {{- define "falco-talon.ingress.supportsPathType" -}} {{- or (eq (include "falco-talon.ingress.isStable" .) "true") (and (eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* +Validate if either serviceAccount create is set to true or serviceAccount name is passed +*/}} +{{- define "falco-talon.validateServiceAccount" -}} + {{- if and (not .Values.rbac.serviceAccount.create) (not .Values.rbac.serviceAccount.name) -}} + {{- fail ".Values.rbac.serviceAccount.create is set to false and .Values.rbac.serviceAccount.name is not provided or is provided as empty string." -}} + {{- end -}} +{{- end -}} diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml index c9db3dd23..e7ff6d371 100644 --- a/charts/falco-talon/templates/configmap.yaml +++ b/charts/falco-talon/templates/configmap.yaml @@ -6,7 +6,7 @@ metadata: {{- include "falco-talon.labels" . | nindent 4 }} data: rules.yaml: |- -{{- range $file := .Values.config.rulesFiles -}} -{{ $fileContent := $.Files.Get $file }} -{{- $fileContent | nindent 4 -}} -{{- end -}} + {{ $.Files.Get "rules.yaml" | nindent 4 }} + {{- if .Values.config.rulesOverride }} + {{ .Values.config.rulesOverride | nindent 4 }} + {{- end }} diff --git a/charts/falco-talon/templates/deployment.yaml b/charts/falco-talon/templates/deployment.yaml index f4ac78912..862a882df 100644 --- a/charts/falco-talon/templates/deployment.yaml +++ b/charts/falco-talon/templates/deployment.yaml @@ -15,12 +15,13 @@ spec: template: metadata: labels: - {{- include "falco-talon.labels" . | nindent 8 }} - {{- if .Values.podAnnotations }} - {{ toYaml .Values.podAnnotations | indent 8 }} - {{- end }} + app.kubernetes.io/name: {{ include "falco-talon.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- if .Values.podAnnotations }} + {{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} annotations: - timestamp: {{ now }} + secret-checksum: {{ (lookup "v1" "Secret" .Release.Namespace (include "falco-talon.name" . | cat "-config")).data | toJson | sha256sum }} spec: serviceAccountName: {{ include "falco-talon.name" . }} {{- if .Values.priorityClassName }} diff --git a/charts/falco-talon/templates/rbac.yaml b/charts/falco-talon/templates/rbac.yaml index 50080a124..bd45db505 100644 --- a/charts/falco-talon/templates/rbac.yaml +++ b/charts/falco-talon/templates/rbac.yaml @@ -1,4 +1,6 @@ +{{- include "falco-talon.validateServiceAccount" . -}} --- +{{- if .Values.rbac.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -6,6 +8,7 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "falco-talon.labels" . | nindent 4 }} +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -205,5 +208,9 @@ roleRef: name: {{ include "falco-talon.name" . }} subjects: - kind: ServiceAccount + {{- if .Values.rbac.serviceAccount.create }} name: {{ include "falco-talon.name" . }} + {{- else }} + name: {{ .Values.rbac.serviceAccount.name }} + {{- end }} namespace: {{ .Release.Namespace }} \ No newline at end of file diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml index 380cba120..47ef1388a 100644 --- a/charts/falco-talon/values.yaml +++ b/charts/falco-talon/values.yaml @@ -105,6 +105,11 @@ affinity: {} # -- rbac rbac: + serviceAccount: + # -- create the service account. If create is false, name is required + create: true + # -- name of the service account + name: "" namespaces: ["get", "delete"] pods: ["get", "update", "patch", "delete", "list"] podsEphemeralcontainers: ["patch", "create"] @@ -141,11 +146,6 @@ config: # -- auto reload the rules when the files change watchRules: true - # -- list of locale rules to load, they will be concatenated into a single config map - rulesFiles: - - rules.yaml - - rules_override.yaml - # -- deduplication of the Falco events deduplication: # -- enable the leader election for cluster mode @@ -156,6 +156,15 @@ config: # -- print in stdout all received events, not only those which match a rule printAllEvents: false + # User-defined additional rules for rules_override.yaml + rulesOverride: | + - action: Terminate Pod + actionner: kubernetes:terminate + parameters: + ignore_daemonsets: true + ignore_statefulsets: true + grace_period_seconds: 20 + # -- open telemetry parameters otel: # -- enable otel traces diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index a75f149f4..41d05e67a 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -1227,4 +1227,4 @@ Remove whitespace around `falco.httpOutput.url` to fix the error `libcurl error: ### Major Changes -* Initial release of Sysdig Falco Helm Chart +* Initial release of Sysdig Falco Helm Chart \ No newline at end of file diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 0582008d2..400169081 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -25,4 +25,4 @@ dependencies: - name: k8s-metacollector version: 0.1.* repository: https://falcosecurity.github.io/charts - condition: collectors.kubernetes.enabled + condition: collectors.kubernetes.enabled \ No newline at end of file diff --git a/charts/falco/README.md b/charts/falco/README.md index 2a18dce99..82dddb7ac 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -799,4 +799,4 @@ The following table lists the main configurable parameters of the falco chart v4 | serviceMonitor.tlsConfig | object | `{}` | tlsConfig specifies TLS (Transport Layer Security) configuration for secure communication when scraping metrics from a service. It allows you to define the details of the TLS connection, such as CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support TLS configuration for the metrics endpoint. | | services | string | `nil` | Network services configuration (scenario requirement) Add here your services to be deployed together with Falco. | | tolerations | list | `[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"}]` | Tolerations to allow Falco to run on Kubernetes masters. | -| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. | +| tty | bool | `false` | Attach the Falco process to a tty inside the container. Needed to flush Falco logs as soon as they are emitted. Set it to "true" when you need the Falco logs to be immediately displayed. | \ No newline at end of file