From 3d3ab261f6158c15e6d24cf7c24d61c235432af0 Mon Sep 17 00:00:00 2001 From: Thomas Labarussias Date: Tue, 10 Sep 2024 16:56:30 +0200 Subject: [PATCH 1/2] fix the error when the custom CA cert is missing, even it's the default, see: https://github.com/falcosecurity/falcosidekick/issues/987 Signed-off-by: Thomas Labarussias --- .gitignore | 1 + charts/falcosidekick/CHANGELOG.md | 5 +++++ charts/falcosidekick/Chart.yaml | 2 +- charts/falcosidekick/README.md | 2 +- charts/falcosidekick/values.yaml | 2 +- 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f7009cf4c..e958ba787 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ *.swp *.swo *~ +.vscode \ No newline at end of file diff --git a/charts/falcosidekick/CHANGELOG.md b/charts/falcosidekick/CHANGELOG.md index a1c79a7fa..d7b85f5fe 100644 --- a/charts/falcosidekick/CHANGELOG.md +++ b/charts/falcosidekick/CHANGELOG.md @@ -5,7 +5,12 @@ numbering uses [semantic versioning](http://semver.org). Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). +## 0.8.5 + +- Fix an issue with the by default missing custom CA cert + ## 0.8.4 + - Fix falcosidekick chart ignoring custom service type for webui redis ## 0.8.3 diff --git a/charts/falcosidekick/Chart.yaml b/charts/falcosidekick/Chart.yaml index 9f3d776e0..1b18d1296 100644 --- a/charts/falcosidekick/Chart.yaml +++ b/charts/falcosidekick/Chart.yaml @@ -3,7 +3,7 @@ appVersion: 2.29.0 description: Connect Falco to your ecosystem icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png name: falcosidekick -version: 0.8.4 +version: 0.8.5 keywords: - monitoring - security diff --git a/charts/falcosidekick/README.md b/charts/falcosidekick/README.md index 9995cffb8..598d140c2 100644 --- a/charts/falcosidekick/README.md +++ b/charts/falcosidekick/README.md @@ -523,7 +523,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.timescaledb.password | string | `"postgres"` | Password to authenticate with TimescaleDB | | config.timescaledb.port | int | `5432` | TimescaleDB port (default: 5432) | | config.timescaledb.user | string | `"postgres"` | Username to authenticate with TimescaleDB | -| config.tlsclient.cacertfile | string | `"/etc/certs/client/ca.crt"` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty | +| config.tlsclient.cacertfile | string | `""` | CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty | | config.tlsserver.cacertfile | string | `"/etc/certs/server/ca.crt"` | CA certification file path for client certification if mutualtls is true | | config.tlsserver.cacrt | string | `""` | | | config.tlsserver.certfile | string | `"/etc/certs/server/server.crt"` | server certification file path for TLS Server | diff --git a/charts/falcosidekick/values.yaml b/charts/falcosidekick/values.yaml index 9bc987910..c148ee729 100644 --- a/charts/falcosidekick/values.yaml +++ b/charts/falcosidekick/values.yaml @@ -145,7 +145,7 @@ config: tlsclient: # -- CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty - cacertfile: "/etc/certs/client/ca.crt" + cacertfile: "" tlsserver: # -- if true TLS server will be deployed instead of HTTP From 98897b00df4d11fc27b4b461e3280c33139b59d5 Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Tue, 10 Sep 2024 17:12:21 +0200 Subject: [PATCH 2/2] fix(falco): correctly mount host filesystems when driver.kind is auto When falco runs with kmod/module driver it needs special filesystems to be mounted from the host such /dev and /sys/module/falco. This commit ensures that we mount them in the falco container. Note that, the /sys/module/falco is now mounted as /sys/module since we do not know which kind of driver will be used. The falco folder exists under /sys/module only when the kernel module is loaded, hence it's not possible to use the /sys/module/falco hostpath when driver.kind is set to auto. Signed-off-by: Aldo Lacuku --- charts/falco/CHANGELOG.md | 14 ++++++++++++++ charts/falco/Chart.yaml | 2 +- charts/falco/README.md | 2 +- charts/falco/templates/pod-template.tpl | 8 ++++---- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index f4d7a5004..1a8a605d8 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -3,6 +3,20 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.8.2 + +* fix(falco): correctly mount host filesystems when driver.kind is auto + + When falco runs with kmod/module driver it needs special filesystems + to be mounted from the host such /dev and /sys/module/falco. + This commit ensures that we mount them in the falco container. + + Note that, the /sys/module/falco is now mounted as /sys/module since + we do not know which kind of driver will be used. The falco folder + exists under /sys/module only when the kernel module is loaded, + hence it's not possible to use the /sys/module/falco hostpath when driver.kind + is set to auto. + ## v4.8.1 * fix(falcosidekick): add support for custom service type for webui redis diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 3ba5991dc..734ce0c46 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: falco -version: 4.8.1 +version: 4.8.2 appVersion: "0.38.2" description: Falco keywords: diff --git a/charts/falco/README.md b/charts/falco/README.md index 65fe77f79..92d8c0136 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.8.1 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.8.2 and their default values. See [values.yaml](./values.yaml) for full list. ## Values diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index e66f85503..1a098b3d0 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -151,12 +151,12 @@ spec: name: etc-fs readOnly: true {{- end -}} - {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }} - mountPath: /host/dev name: dev-fs readOnly: true - name: sys-fs - mountPath: /sys/module/falco + mountPath: /sys/module {{- end }} {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} - name: debugfs @@ -249,13 +249,13 @@ spec: hostPath: path: /etc {{- end }} - {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module")) }} + {{- if and .Values.driver.enabled (or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") (eq .Values.driver.kind "auto")) }} - name: dev-fs hostPath: path: /dev - name: sys-fs hostPath: - path: /sys/module/falco + path: /sys/module {{- end }} {{- if and .Values.driver.enabled (and (eq .Values.driver.kind "ebpf") (contains "falco-no-driver" .Values.image.repository)) }} - name: debugfs