Falco crash after few minutes on GKE 1.24 #2694
Comments
|
cc @alacuku |
jr-instantsystem
changed the title
|
We have deploy the exact same setup/conf on a 1.27 cluster, everything seems fine for now. |
|
Hey @jr-instantsystem, it's a known issue. In large clusters, the |
|
Also, here is the tracking issue: #2973 |
|
hi @alacuku , |
|
can we close this since it is probably a duplicate of #2973? |
|
Yes, we don't have any problem anymore since we disabled the metadata |
|
thanks, we will update you when a new version of the k8s client is out |
Can you tell me how can I disable metadata collection? I tried the |
|
@gold-kou if you are using the helm chart as installation method you need to put kubernetes:
# -- Enable Kubernetes meta data collection via a connection to the Kubernetes API server.
# When this option is disabled, Falco falls back to the container annotations to grap the meta data.
# In such a case, only the ID, name, namespace, labels of the pod will be available.
enabled: true
# -- The apiAuth value is to provide the authentication method Falco should use to connect to the Kubernetes API.
# The argument's documentation from Falco is provided here for reference:
#
# <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>], --k8s-api-cert <bt_file> | <cert_file>:<key_file[#password]>[:<ca_cert_file>]
# Use the provided files names to authenticate user and (optionally) verify the K8S API server identity.
# Each entry must specify full (absolute, or relative to the current directory) path to the respective file.
# Private key password is optional (needed only if key is password protected).
# CA certificate is optional. For all files, only PEM file format is supported.
# Specifying CA certificate only is obsoleted - when single entry is provided
# for this option, it will be interpreted as the name of a file containing bearer token.
# Note that the format of this command-line option prohibits use of files whose names contain
# ':' or '#' characters in the file name.
# -- Provide the authentication method Falco should use to connect to the Kubernetes API.
apiAuth: /home/andrea/Downloads/falco-0.36.0-x86_64/token
## -- Provide the URL Falco should use to connect to the Kubernetes API.
apiUrl: "https://127.0.0.1:33229"
# -- If true, only the current node (on which Falco is running) will be considered when requesting metadata of pods
# to the API server. Disabling this option may have a performance penalty on large clusters.
enableNodeFilter: true |
|
I take down a memo for somebody who doesn't use helm. What I did: Reason: According to the below page, |
Describe the bug
Hi
We are evaluating Falco on one of cluster, and we face regular restart of each Falco container.
For instance, it has restarted ~120 times in one night.
How to reproduce it
It is deployed using the Helm chart 3.3.0 (falco 0.35.1) as deamonset, on a GKE cluster running Kubernetes 1.24.
The falco config is:
After few minutes, the container crash (exitCode: 1), here is a container log:
Expected behaviour
No crash :)
Environment
Helm chart 3.3.0 (falco 0.35.1) as deamonset, on a GKE cluster running Kubernetes 1.24.
{
"machine": "x86_64",
"nodename": "falco-bk264",
"release": "5.10.162+",
"sysname": "Linux",
"version": "Digwatch compiler #1 SMP Sat Mar 11 15:59:33 UTC 2023"
}
The text was updated successfully, but these errors were encountered: