update(falco): support latest changes in falco-driver-loader

The init container, when driver.kind=auto, automatically generates a new Falco configuration file and selects the appropriate engine kind based on the environment where Falco is deployed. With this commit, along with falcoctl PR falcosecurity#630, the Helm charts now support different driver kinds for Falco instances based on the specific node they are running on. When driver.kind=auto is set, each Falco instance dynamically selects the most suitable driver (e.g., ebps, kmod, modern_ebpf) for the node. +-------------------------------------------------------+ | Kubernetes Cluster | | | | +-------------------+ +-------------------+ | | | Node 1 | | Node 2 | | | | | | | | | | Falco (ebpf) | | Falco (kmod) | | | +-------------------+ +-------------------+ | | | | +-------------------+ | | | Node 3 | | | | | | | | Falco (modern_ebpf)| | | +-------------------+ | +-------------------------------------------------------+ Signed-off-by: Aldo Lacuku <[email protected]>
alacuku · Sep 17, 2024 · 1db02fb · 1db02fb
1 parent 98897b0
commit 1db02fb
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 3 deletions.
diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md
@@ -3,6 +3,33 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.8.3
+
+* The init container, when driver.kind=auto, automatically generates
+  a new Falco configuration file and selects the appropriate engine
+  kind based on the environment where Falco is deployed.
+
+  With this commit, along with falcoctl PR #630, the Helm charts now 
+  support different driver kinds for Falco instances based on the 
+  specific node they are running on. When driver.kind=auto is set,
+  each Falco instance dynamically selects the most suitable 
+  driver (e.g., ebpf, kmod, modern_ebpf) for the node.
+  +-------------------------------------------------------+
+  | Kubernetes Cluster                                    |
+  |                                                       |
+  |  +-------------------+  +-------------------+        |
+  |  | Node 1             |  | Node 2             |        |
+  |  |                   |  |                   |        |
+  |  | Falco (ebpf) |  | Falco (kmod)       |        |
+  |  +-------------------+  +-------------------+        |
+  |                                                       |
+  |                 +-------------------+                |
+  |                 | Node 3             |                |
+  |                 |                   |                |
+  |                 | Falco (modern_ebpf)|                |
+  |                 +-------------------+                |
+  +-------------------------------------------------------+
+
 ## v4.8.2
 
 * fix(falco): correctly mount host filesystems when driver.kind is auto

diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: falco
-version: 4.8.2
+version: 4.8.3
 appVersion: "0.38.2"
 description: Falco
 keywords:

diff --git a/charts/falco/README.md b/charts/falco/README.md
@@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek
 
 ## Configuration
 
-The following table lists the main configurable parameters of the falco chart v4.8.2 and their default values. See [values.yaml](./values.yaml) for full list.
+The following table lists the main configurable parameters of the falco chart v4.8.3 and their default values. See [values.yaml](./values.yaml) for full list.
 
 ## Values
 

diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -128,6 +128,10 @@ spec:
         - mountPath: /usr/share/falco/plugins
           name: plugins-install-dir
       {{- end }}
+      {{- end }}
+      {{- if eq (include "driverLoader.enabled" .) "true" }}
+        - mountPath: /etc/falco/config.d
+          name: specialized-falco-configs
       {{- end }}
         - mountPath: /root/.falco
           name: root-falco-fs
@@ -227,6 +231,10 @@ spec:
     {{- include "falcoctl.initContainer" . | nindent 4 }}
   {{- end }}
   volumes:
+    {{- if eq (include "driverLoader.enabled" .) "true" }}
+    - name: specialized-falco-configs
+      emptyDir: {}
+    {{- end }}
     {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }}
     - name: plugins-install-dir
       emptyDir: {}
@@ -384,6 +392,8 @@ spec:
     - mountPath: /host/etc
       name: etc-fs
       readOnly: true
+    - mountPath: /etc/falco/config.d
+      name: specialized-falco-configs
   env:
     - name: HOST_ROOT
       value: /host
@@ -395,6 +405,8 @@ spec:
       valueFrom:
         fieldRef:
           fieldPath: metadata.namespace
+    - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP
+      value: {{ include "falco.fullname" . }}
   {{- else }}
     - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO
       value: "false"

diff --git a/charts/falco/tests/unit/driverLoader_test.go b/charts/falco/tests/unit/driverLoader_test.go
@@ -36,6 +36,11 @@ var (
 			},
 		}}
 
+	configmapEnvVar = v1.EnvVar{
+		Name:  "FALCOCTL_DRIVER_CONFIG_CONFIGMAP",
+		Value: releaseName + "-falco",
+	}
+
 	updateConfigMapEnvVar = v1.EnvVar{
 		Name:  "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO",
 		Value: "false",
@@ -64,7 +69,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "auto")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.Contains(t, container.Env, namespaceEnvVar)
+				require.Contains(t, container.Env, configmapEnvVar)
 				require.NotContains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -124,7 +133,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "kmod")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -139,7 +152,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "kmod")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -155,6 +172,10 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Nil(t, container.SecurityContext)
 				require.NotContains(t, container.Env, namespaceEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -190,3 +211,55 @@ func TestDriverLoaderEnabled(t *testing.T) {
 		})
 	}
 }
+
+// volumenMounts checks that the expected volume mounts have been configured.
+func volumeMounts(t *testing.T, volumeMounts []v1.VolumeMount) {
+	rootFalcoFS := v1.VolumeMount{
+		Name:      "root-falco-fs",
+		ReadOnly:  false,
+		MountPath: "/root/.falco",
+	}
+	require.Contains(t, volumeMounts, rootFalcoFS)
+
+	procFS := v1.VolumeMount{
+		Name:      "proc-fs",
+		ReadOnly:  true,
+		MountPath: "/host/proc",
+	}
+	require.Contains(t, volumeMounts, procFS)
+
+	bootFS := v1.VolumeMount{
+		Name:      "boot-fs",
+		ReadOnly:  true,
+		MountPath: "/host/boot",
+	}
+	require.Contains(t, volumeMounts, bootFS)
+
+	libModulesFS := v1.VolumeMount{
+		Name:      "lib-modules",
+		ReadOnly:  false,
+		MountPath: "/host/lib/modules",
+	}
+	require.Contains(t, volumeMounts, libModulesFS)
+
+	usrFS := v1.VolumeMount{
+		Name:      "usr-fs",
+		ReadOnly:  true,
+		MountPath: "/host/usr",
+	}
+	require.Contains(t, volumeMounts, usrFS)
+
+	etcFS := v1.VolumeMount{
+		Name:      "etc-fs",
+		ReadOnly:  true,
+		MountPath: "/host/etc",
+	}
+	require.Contains(t, volumeMounts, etcFS)
+
+	specializedFalcoConfigs := v1.VolumeMount{
+		Name:      "specialized-falco-configs",
+		ReadOnly:  false,
+		MountPath: "/etc/falco/config.d",
+	}
+	require.Contains(t, volumeMounts, specializedFalcoConfigs)
+}
diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -471,7 +471,7 @@ falcoctl:
     # -- The image repository to pull from.
     repository: falcosecurity/falcoctl
     # -- The image tag to pull.
-    tag: "0.9.0"
+    tag: "0.10.0"
   artifact:
     # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
     # Falco starts. It provides them to Falco by using an emptyDir volume.