update Falco charts for upcoming Falco 0.38

charts/falco/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: falco
-version: 4.3.1
-appVersion: "0.37.1"
+version: 4.4.0
+appVersion: "0.38.0"
 description: Falco
 keywords:
   - monitoring

charts/falco/templates/_helpers.tpl

@@ -377,7 +377,7 @@ Based on the user input it populates the driver configuration in the falco confi
 */}}
 {{- define "falco.engineConfiguration" -}}
 {{- if .Values.driver.enabled -}}
-{{- $supportedDrivers := list "kmod" "ebpf" "modern_ebpf" "gvisor" -}}
+{{- $supportedDrivers := list "kmod" "ebpf" "modern_ebpf" "gvisor" "auto" -}}
 {{- $aliasDrivers := list "module" "modern-bpf" -}}
 {{- if and (not (has .Values.driver.kind $supportedDrivers)) (not (has .Values.driver.kind $aliasDrivers)) -}}
 {{- fail (printf "unsupported driver kind: \"%s\". Supported drivers %s, alias %s" .Values.driver.kind $supportedDrivers $aliasDrivers) -}}
@@ -395,6 +395,9 @@ Based on the user input it populates the driver configuration in the falco confi
 {{- $root := printf "/host%s/k8s.io" .Values.driver.gvisor.runsc.root -}}
 {{- $gvisorConfig := dict "kind" "gvisor" "gvisor" (dict "config" "/gvisor-config/pod-init.json" "root" $root) -}}
 {{- $_ := set .Values.falco "engine" $gvisorConfig -}}
+{{- else if eq .Values.driver.kind "auto" -}}
+{{- $engineConfig := dict "kind" "modern_ebpf" "kmod" (dict "buf_size_preset" .Values.driver.kmod.bufSizePreset "drop_failed_exit" .Values.driver.kmod.dropFailedExit) "ebpf" (dict "buf_size_preset" .Values.driver.ebpf.bufSizePreset "drop_failed_exit" .Values.driver.ebpf.dropFailedExit "probe" .Values.driver.ebpf.path) "modern_ebpf" (dict "buf_size_preset" .Values.driver.modernEbpf.bufSizePreset "drop_failed_exit" .Values.driver.modernEbpf.dropFailedExit "cpus_for_each_buffer" .Values.driver.modernEbpf.cpusForEachBuffer) -}}
+{{- $_ := set .Values.falco "engine" $engineConfig -}}
 {{- end -}}
 {{- end -}}
 {{- end -}}

charts/falco/templates/pod-template.tpl

@@ -346,17 +346,21 @@ spec:
   {{- with .Values.driver.loader.initContainer.args }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if eq .Values.driver.kind "ebpf" }}
-    - ebpf
-   {{- end }}
+  {{- if eq .Values.driver.kind "module" }}
+    - kmod
+  {{- else if eq .Values.driver.kind "modern-bpf"}}
+    - modern_ebpf
+  {{- else }}
+    - {{ .Values.driver.kind }}
+  {{- end }}
   {{- with .Values.driver.loader.initContainer.resources }}
   resources:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   securityContext:
   {{- if .Values.driver.loader.initContainer.securityContext }}
     {{- toYaml .Values.driver.loader.initContainer.securityContext | nindent 4 }}
-  {{- else if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }}
+  {{- else if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }}
     privileged: true
   {{- end }}
   volumeMounts:
@@ -382,12 +386,21 @@ spec:
   {{- if .Values.driver.loader.initContainer.env }}
   {{- include "falco.renderTemplate" ( dict "value" .Values.driver.loader.initContainer.env "context" $) | nindent 4 }}
   {{- end }}
+  {{- if eq .Values.driver.kind "auto" }}
+    - name: FALCOCTL_DRIVER_CONFIG_NAMESPACE
+      valueFrom:
+        fieldRef:
+          fieldPath: metadata.namespace
+  {{- else }}
+    - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO
+      value: "false"
+  {{- end }}
 {{- end -}}
 
 {{- define "falco.securityContext" -}}
 {{- $securityContext := dict -}}
 {{- if .Values.driver.enabled -}}
-  {{- if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) -}}
+  {{- if (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) -}}
     {{- $securityContext := set $securityContext "privileged" true -}}
   {{- end -}}
   {{- if eq .Values.driver.kind "ebpf" -}}

charts/falco/templates/role.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.rbac.create (eq .Values.driver.kind "auto")}}
+kind: Role
+apiVersion: {{ include "rbac.apiVersion" . }}
+metadata:
+  name: {{ include "falco.fullname" . }}
+  labels:
+    {{- include "falco.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - update
+{{- end }}

charts/falco/templates/roleBinding.yaml

@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.create (eq .Values.driver.kind "auto")}}
+kind: RoleBinding
+apiVersion: {{ include "rbac.apiVersion" . }}
+metadata:
+  name: {{ include "falco.fullname" . }}
+  labels:
+    {{- include "falco.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "falco.serviceAccountName" . }}
+    namespace: {{ include "falco.namespace" . }}
+roleRef:
+  kind: Role
+  name: {{ include "falco.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/falco/tests/unit/driverConfig_test.go

@@ -41,10 +41,10 @@ func TestDriverConfigInFalcoConfig(t *testing.T) {
 			"defaultValues",
 			nil,
 			func(t *testing.T, config any) {
-				require.Len(t, config, 2, "should have only two items")
+				require.Len(t, config, 4, "should have four items")
 				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
 				require.NoError(t, err)
-				require.Equal(t, "kmod", kind)
+				require.Equal(t, "modern_ebpf", kind)
 				require.Equal(t, float64(4), bufSizePreset)
 				require.False(t, dropFailedExit)
 			},
@@ -78,10 +78,11 @@ func TestDriverConfigInFalcoConfig(t *testing.T) {
 			},
 		},
 		{
-			"kmod=onfig",
+			"kmod=config",
 			map[string]string{
 				"driver.kmod.bufSizePreset":  "6",
 				"driver.kmod.dropFailedExit": "true",
+				"driver.kind":                "module",
 			},
 			func(t *testing.T, config any) {
 				require.Len(t, config, 2, "should have only two items")
@@ -93,7 +94,7 @@ func TestDriverConfigInFalcoConfig(t *testing.T) {
 			},
 		},
 		{
-			"kind=ebpf",
+			"ebpf=config",
 			map[string]string{
 				"driver.kind":                "ebpf",
 				"driver.ebpf.bufSizePreset":  "6",
@@ -111,7 +112,7 @@ func TestDriverConfigInFalcoConfig(t *testing.T) {
 			},
 		},
 		{
-			"ebpf=config",
+			"kind=ebpf",
 			map[string]string{
 				"driver.kind": "ebpf",
 			},
@@ -202,6 +203,35 @@ func TestDriverConfigInFalcoConfig(t *testing.T) {
 				require.Equal(t, "/host/my/root/test/k8s.io", root)
 			},
 		},
+		{
+			"kind=auto",
+			map[string]string{
+				"driver.kind": "auto",
+			},
+			func(t *testing.T, config any) {
+				require.Len(t, config, 4, "should have four items")
+				// Check that configuration for kmod has been set.
+				kind, bufSizePreset, dropFailedExit, err := getKmodConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+				// Check that configuration for ebpf has been set.
+				kind, path, bufSizePreset, dropFailedExit, err := getEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, "${HOME}/.falco/falco-bpf.o", path)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.False(t, dropFailedExit)
+				// Check that configuration for modern_ebpf has been set.
+				kind, bufSizePreset, cpusForEachBuffer, dropFailedExit, err := getModernEbpfConfig(config)
+				require.NoError(t, err)
+				require.Equal(t, "modern_ebpf", kind)
+				require.Equal(t, float64(4), bufSizePreset)
+				require.Equal(t, float64(2), cpusForEachBuffer)
+				require.False(t, dropFailedExit)
+			},
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -236,7 +266,8 @@ func TestDriverConfigWithUnsupportedDriver(t *testing.T) {
 	options := &helm.Options{SetValues: values}
 	_, err = helm.RenderTemplateE(t, options, helmChartPath, releaseName, []string{"templates/configmap.yaml"})
 	require.Error(t, err)
-	require.True(t, strings.Contains(err.Error(), "unsupported driver kind: \"notExisting\". Supported drivers [kmod ebpf modern_ebpf gvisor], alias [module modern-bpf]"))
+	require.True(t, strings.Contains(err.Error(),
+		"unsupported driver kind: \"notExisting\". Supported drivers [kmod ebpf modern_ebpf gvisor auto], alias [module modern-bpf]"))
 }
 
 func getKmodConfig(config interface{}) (kind string, bufSizePreset float64, dropFailedExit bool, err error) {

charts/falco/tests/unit/driverLoader_test.go

@@ -19,11 +19,29 @@ import (
 	"path/filepath"
 	"testing"
 
+	v1 "k8s.io/api/core/v1"
+
 	"github.com/gruntwork-io/terratest/modules/helm"
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
 )
 
+var (
+	namespaceEnvVar = v1.EnvVar{
+		Name: "FALCOCTL_DRIVER_CONFIG_NAMESPACE",
+		ValueFrom: &v1.EnvVarSource{
+			FieldRef: &v1.ObjectFieldSelector{
+				APIVersion: "",
+				FieldPath:  "metadata.namespace",
+			},
+		}}
+
+	updateConfigMapEnvVar = v1.EnvVar{
+		Name:  "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO",
+		Value: "false",
+	}
+)
+
 // TestDriverLoaderEnabled tests the helper that enables the driver loader based on the configuration.
 func TestDriverLoaderEnabled(t *testing.T) {
 	t.Parallel()
@@ -34,76 +52,120 @@ func TestDriverLoaderEnabled(t *testing.T) {
 	testCases := []struct {
 		name     string
 		values   map[string]string
-		expected bool
+		expected func(t *testing.T, initContainer any)
 	}{
 		{
 			"defaultValues",
 			nil,
-			true,
+			func(t *testing.T, initContainer any) {
+				container, ok := initContainer.(v1.Container)
+				require.True(t, ok)
+
+				require.Contains(t, container.Args, "auto")
+				require.True(t, *container.SecurityContext.Privileged)
+				require.Contains(t, container.Env, namespaceEnvVar)
+				require.NotContains(t, container.Env, updateConfigMapEnvVar)
+			},
 		},
 		{
 			"driver.kind=modern-bpf",
 			map[string]string{
 				"driver.kind": "modern-bpf",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 		{
 			"driver.kind=modern_ebpf",
 			map[string]string{
 				"driver.kind": "modern_ebpf",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 		{
 			"driver.kind=gvisor",
 			map[string]string{
 				"driver.kind": "gvisor",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 		{
 			"driver.disabled",
 			map[string]string{
 				"driver.enabled": "false",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 		{
 			"driver.loader.disabled",
 			map[string]string{
 				"driver.loader.enabled": "false",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 		{
 			"driver.kind=kmod",
 			map[string]string{
 				"driver.kind": "kmod",
 			},
-			true,
+			func(t *testing.T, initContainer any) {
+				container, ok := initContainer.(v1.Container)
+				require.True(t, ok)
+
+				require.Contains(t, container.Args, "kmod")
+				require.True(t, *container.SecurityContext.Privileged)
+				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.Contains(t, container.Env, updateConfigMapEnvVar)
+			},
 		},
 		{
 			"driver.kind=module",
 			map[string]string{
 				"driver.kind": "module",
 			},
-			true,
+			func(t *testing.T, initContainer any) {
+				container, ok := initContainer.(v1.Container)
+				require.True(t, ok)
+
+				require.Contains(t, container.Args, "kmod")
+				require.True(t, *container.SecurityContext.Privileged)
+				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.Contains(t, container.Env, updateConfigMapEnvVar)
+			},
 		},
 		{
 			"driver.kind=ebpf",
 			map[string]string{
 				"driver.kind": "ebpf",
 			},
-			true,
+			func(t *testing.T, initContainer any) {
+				container, ok := initContainer.(v1.Container)
+				require.True(t, ok)
+
+				require.Contains(t, container.Args, "ebpf")
+				require.Nil(t, container.SecurityContext)
+				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.Contains(t, container.Env, updateConfigMapEnvVar)
+			},
 		},
 		{
 			"driver.kind=kmod&driver.loader.disabled",
 			map[string]string{
 				"driver.kind":           "kmod",
 				"driver.loader.enabled": "false",
 			},
-			false,
+			func(t *testing.T, initContainer any) {
+				require.Equal(t, initContainer, nil)
+			},
 		},
 	}
 
@@ -118,14 +180,13 @@ func TestDriverLoaderEnabled(t *testing.T) {
 
 			var ds appsv1.DaemonSet
 			helm.UnmarshalK8SYaml(t, output, &ds)
-			found := false
 			for i := range ds.Spec.Template.Spec.InitContainers {
 				if ds.Spec.Template.Spec.InitContainers[i].Name == "falco-driver-loader" {
-					found = true
+					testCase.expected(t, ds.Spec.Template.Spec.InitContainers[i])
+					return
 				}
 			}
-
-			require.Equal(t, testCase.expected, found)
+			testCase.expected(t, nil)
 		})
 	}
 }