feat(falco-talon): Configure Talon pod to not rollout on configmap changes, allow user to input rules.yaml directly, configure Talon to rollout on secret change

charts/falco-talon/CHANGELOG.md

@@ -3,6 +3,11 @@
 This file documents all notable changes to Falco Talon Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## 0.2.0 - 2024-11-26
+- configure pod to not rollout on configmap change
+- configure pod to rollout on secret change
+- add config.rulesOverride allowing users to override config rules
+
 ## 0.1.3 - 2024-11-08
 
 - change the key for the range over the rules files
@@ -18,4 +23,4 @@ numbering uses [semantic versioning](http://semver.org).
 
 ## 0.1.0 - 2024-09-05
 
-- First release
+- First release

charts/falco-talon/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: 0.1.1
+appVersion: 0.2.0
 description: React to the events from Falco
 name: falco-talon
-version: 0.1.3
+version: 0.2.0
 keywords:
   - falco
   - monitoring
@@ -14,3 +14,5 @@ sources:
 maintainers:
   - name: Issif
     email: [email protected]
+  - name: IgorEulalio
+    email: [email protected]

charts/falco-talon/README.md

@@ -58,7 +58,7 @@ helm delete falco-talon -n falco
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
+| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesOverride":"- action: Terminate Pod\n  actionner: kubernetes:terminate\n  parameters:\n    ignore_daemonsets: true\n    ignore_statefulsets: true\n    grace_period_seconds: 20\n","watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
 | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
 | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
 | config.aws.externalId | string | `""` | external id |
@@ -111,13 +111,12 @@ helm delete falco-talon -n falco
 | config.otel.metricsEnabled | bool | `false` | enable otel metrics |
 | config.otel.tracesEnabled | bool | `false` | enable otel traces |
 | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
-| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
-| image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
+| image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"falcosecurity/falco-talon","tag":""}` | image parameters |
 | image.pullPolicy | string | `"Always"` | The image pull policy |
 | image.registry | string | `"falco.docker.scarf.sh"` | The image registry to pull from |
-| image.repository | string | `"issif/falco-talon"` | The image repository to pull from |
+| image.repository | string | `"falcosecurity/falco-talon"` | The image repository to pull from |
 | image.tag | string | `""` | Override the image tag to pull |
 | imagePullSecrets | list | `[]` | one or more secrets to be used when pulling images |
 | ingress | object | `{"annotations":{},"enabled":false,"hosts":[{"host":"falco-talon.local","paths":[{"path":"/"}]}],"tls":[]}` | ingress parameters |
@@ -134,7 +133,9 @@ helm delete falco-talon -n falco
 | podSecurityPolicy | object | `{"create":false}` | pod security policy |
 | podSecurityPolicy.create | bool | `false` | enable the creation of the PSP |
 | priorityClassName | string | `""` | priority class name |
-| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"statefulsets":["get","delete"]}` | rbac |
+| rbac | object | `{"caliconetworkpolicies":["get","update","patch","create"],"ciliumnetworkpolicies":["get","update","patch","create"],"clusterroles":["get","delete"],"configmaps":["get","delete"],"daemonsets":["get","delete"],"deployments":["get","delete"],"events":["get","update","patch","create"],"leases":["get","update","patch","watch","create"],"namespaces":["get","delete"],"networkpolicies":["get","update","patch","create"],"nodes":["get","update","patch","watch","create"],"pods":["get","update","patch","delete","list"],"podsEphemeralcontainers":["patch","create"],"podsEviction":["get","create"],"podsExec":["get","create"],"podsLog":["get"],"replicasets":["get","delete"],"roles":["get","delete"],"secrets":["get","delete"],"serviceAccount":{"create":true,"name":""},"statefulsets":["get","delete"]}` | rbac |
+| rbac.serviceAccount.create | bool | `true` | create the service account. If create is false, name is required |
+| rbac.serviceAccount.name | string | `""` | name of the service account |
 | replicaCount | int | `2` | number of running pods |
 | resources | object | `{}` | resources |
 | service | object | `{"annotations":{},"port":2803,"type":"ClusterIP"}` | service parameters |

charts/falco-talon/rules.yaml

@@ -6,12 +6,3 @@
   parameters:
     labels:
       analysis/status: "suspicious"
-
-- rule: Terminal shell in container 
-  match:
-    rules:
-      - Terminal shell in container
-    output_fields:
-      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
-  actions:
-    - action: Label Pod as Suspicious

charts/falco-talon/templates/_helpers.tpl

@@ -61,4 +61,13 @@ Return if ingress supports pathType.
 */}}
 {{- define "falco-talon.ingress.supportsPathType" -}}
   {{- or (eq (include "falco-talon.ingress.isStable" .) "true") (and (eq (include "falco-talon.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Validate if either serviceAccount create is set to true or serviceAccount name is passed
+*/}}
+{{- define "falco-talon.validateServiceAccount" -}}
+  {{- if and (not .Values.rbac.serviceAccount.create) (not .Values.rbac.serviceAccount.name) -}}
+  {{- fail ".Values.rbac.serviceAccount.create is set to false and .Values.rbac.serviceAccount.name is not provided or is provided as empty string." -}}
+  {{- end -}}
+{{- end -}}

charts/falco-talon/templates/configmap.yaml

@@ -6,7 +6,7 @@ metadata:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
   rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get $file }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+    {{ $.Files.Get "rules.yaml" | nindent 4 }}
+    {{- if .Values.config.rulesOverride }}
+    {{ .Values.config.rulesOverride | nindent 4 }}
+    {{- end }}

charts/falco-talon/templates/deployment.yaml

@@ -15,12 +15,13 @@ spec:
   template:
     metadata:
       labels:
-      {{- include "falco-talon.labels" . | nindent 8 }}
-      {{- if .Values.podAnnotations }}
-        {{ toYaml .Values.podAnnotations | indent 8 }}
-      {{- end }}
+        app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- if .Values.podAnnotations }}
+          {{ toYaml .Values.podAnnotations | indent 8 }}
+        {{- end }}
       annotations:
-        timestamp: {{ now }}
+        secret-checksum: {{ (lookup "v1" "Secret" .Release.Namespace (include "falco-talon.name" . | cat "-config")).data | toJson | sha256sum }}
     spec:
       serviceAccountName: {{ include "falco-talon.name" . }}
       {{- if .Values.priorityClassName }}

charts/falco-talon/templates/rbac.yaml

@@ -1,11 +1,14 @@
+{{- include "falco-talon.validateServiceAccount" . -}}
 ---
+{{- if .Values.rbac.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "falco-talon.name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -205,5 +208,9 @@ roleRef:
   name: {{ include "falco-talon.name" . }}
 subjects:
 - kind: ServiceAccount
+  {{- if .Values.rbac.serviceAccount.create }}
   name: {{ include "falco-talon.name" . }}
+  {{- else }}
+  name: {{ .Values.rbac.serviceAccount.name }}
+  {{- end }}
   namespace: {{ .Release.Namespace }}

charts/falco-talon/values.yaml

@@ -10,7 +10,7 @@ image:
   # -- The image registry to pull from
   registry: falco.docker.scarf.sh
   # -- The image repository to pull from
-  repository: issif/falco-talon
+  repository: falcosecurity/falco-talon
   # -- Override the image tag to pull
   tag: ""
   # -- The image pull policy
@@ -105,6 +105,11 @@ affinity: {}
 
 # -- rbac
 rbac:
+  serviceAccount:
+    # -- create the service account. If create is false, name is required
+    create: true
+    # -- name of the service account
+    name: ""
   namespaces: ["get", "delete"]
   pods: ["get", "update", "patch", "delete", "list"]
   podsEphemeralcontainers: ["patch", "create"]
@@ -141,11 +146,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -156,6 +156,15 @@ config:
   # -- print in stdout all received events, not only those which match a rule
   printAllEvents: false
 
+  # User-defined additional rules for rules_override.yaml
+  rulesOverride: |
+    - action: Terminate Pod
+      actionner: kubernetes:terminate
+      parameters:
+        ignore_daemonsets: true
+        ignore_statefulsets: true
+        grace_period_seconds: 20
+
   # -- open telemetry parameters
   otel:
     # -- enable otel traces

charts/falco/CHANGELOG.md

@@ -3,6 +3,10 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.15.1
+
+* fix: change the url for the concurrent queue classes docs
+
 ## v4.15.0
 
 * update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1

charts/falco/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 4.15.0
+version: 4.15.1
 appVersion: "0.39.2"
 description: Falco
 keywords: