-
Notifications
You must be signed in to change notification settings - Fork 911
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update(rule_loader): deprecate the append
flag in falco rules
#2992
update(rule_loader): deprecate the append
flag in falco rules
#2992
Conversation
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
append
flag in falco rulesappend
flag in falco rules
I fully agree with the proposal, and with keeping the deprecated
I think we should split real warnings from verbose messages (if any); in your example, the warning message should always be visible; also, given that Falco is a "fire and forget" tool, i think that having a more verbose startup by default is not that impactful after all. |
I like this a lot @Andreagit97, also ok to keep this warning until Falco 1.0.0 |
+1 for this. |
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Update: This PR deprecates 2 things now (with relative tests):
Summary for Falco 0.37.0 here: #2763 I have enabled all rules warnings by default, let me know if it is OK for you. This is a possible output example:
I don't love the multi-line log but at the moment this is what we have... @jasondellaluce there was a particular reason to use |
append
flag in falco rulesappend
flag in falco rules
Signed-off-by: Andrea Terzolo <[email protected]>
Now this should be ready |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 0d42da1acd26344d1de3091beac0fa0d750eb7b3
|
@@ -244,10 +240,7 @@ void rule_loader::collector::append(configuration& cfg, rule_update_info& info) | |||
{ | |||
auto prev = m_rule_infos.at(info.name); | |||
|
|||
THROW(!prev, | |||
// "Rule has 'append' key or an append override but no rule by that name already exists", // TODO replace with this and update testing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for updating these errors <3
Great job Andrea! 🎉 Just a couple minor comments and I can approve :) |
Signed-off-by: Andrea Terzolo <[email protected]> Co-authored-by: Luca Guerra <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
LGTM label has been added. Git tree hash: 4534eddb97a798dc1d15551b691fd293e31bdd1b
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/unhold |
What type of PR is this?
/kind cleanup
/kind design
Any specific area of the project related to this PR?
/area engine
/area tests
What this PR does / why we need it:
In this PR I propose to deprecate the
append
flag in the Falco rules. Withdeprecate
I mean that we should log a warning when theappend
key is used suggesting the newoverride
key. The flag shouldn't be removed until Falco 1.0.0 since it could cause a big breaking change between users (I'm open to other ideas, maybe we can wait for some release cycle). In this PR there are also some cleanups.Side note: I'm not fully convinced by the fact that warnings in the rule loading are suppressed by default...if we introduce a warning I expect that users will see it by default since probably they need to take some actions... To be more concrete, in this PR i added a warning that in my opinion should be shown by default because users should know how to update the rules with the most recent features to avoid breaking changes in the future. Example:
Today to obtain the above result users should run Falco with the
-v
which IMO is not ideal, WDYT @falcosecurity/falco-maintainers ?Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?: