update(falco): support latest changes in falco-driver-loader

The init container when the driver kind is set to auto, automatically creates a new config file for falco and sets the engine kind that fits the environment where falco is running Signed-off-by: Aldo Lacuku <[email protected]>
falcosecurity · Sep 10, 2024 · c859860 · c859860
1 parent 4d2da46
commit c859860
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 0 deletions.
diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -128,6 +128,10 @@ spec:
         - mountPath: /usr/share/falco/plugins
           name: plugins-install-dir
       {{- end }}
+      {{- end }}
+      {{- if eq (include "driverLoader.enabled" .) "true" }}
+        - mountPath: /etc/falco/config.d
+          name: specialized-falco-configs
       {{- end }}
         - mountPath: /root/.falco
           name: root-falco-fs
@@ -227,6 +231,10 @@ spec:
     {{- include "falcoctl.initContainer" . | nindent 4 }}
   {{- end }}
   volumes:
+    {{- if eq (include "driverLoader.enabled" .) "true" }}
+    - name: specialized-falco-configs
+      emptyDir: {}
+    {{- end }}
     {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }}
     - name: plugins-install-dir
       emptyDir: {}
@@ -384,6 +392,8 @@ spec:
     - mountPath: /host/etc
       name: etc-fs
       readOnly: true
+    - mountPath: /etc/falco/config.d
+      name: specialized-falco-configs
   env:
     - name: HOST_ROOT
       value: /host
@@ -395,6 +405,8 @@ spec:
       valueFrom:
         fieldRef:
           fieldPath: metadata.namespace
+    - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP
+      value: {{ include "falco.fullname" . }}
   {{- else }}
     - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO
       value: "false"

diff --git a/charts/falco/tests/unit/driverLoader_test.go b/charts/falco/tests/unit/driverLoader_test.go
@@ -36,6 +36,11 @@ var (
 			},
 		}}
 
+	configmapEnvVar = v1.EnvVar{
+		Name:  "FALCOCTL_DRIVER_CONFIG_CONFIGMAP",
+		Value: releaseName + "-falco",
+	}
+
 	updateConfigMapEnvVar = v1.EnvVar{
 		Name:  "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO",
 		Value: "false",
@@ -64,7 +69,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "auto")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.Contains(t, container.Env, namespaceEnvVar)
+				require.Contains(t, container.Env, configmapEnvVar)
 				require.NotContains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -124,7 +133,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "kmod")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -139,7 +152,11 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Contains(t, container.Args, "kmod")
 				require.True(t, *container.SecurityContext.Privileged)
 				require.NotContains(t, container.Env, namespaceEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -155,6 +172,10 @@ func TestDriverLoaderEnabled(t *testing.T) {
 				require.Nil(t, container.SecurityContext)
 				require.NotContains(t, container.Env, namespaceEnvVar)
 				require.Contains(t, container.Env, updateConfigMapEnvVar)
+				require.NotContains(t, container.Env, configmapEnvVar)
+
+				// Check that the expected volumes are there.
+				volumeMounts(t, container.VolumeMounts)
 			},
 		},
 		{
@@ -190,3 +211,55 @@ func TestDriverLoaderEnabled(t *testing.T) {
 		})
 	}
 }
+
+// volumenMounts checks that the expected volume mounts have been configured.
+func volumeMounts(t *testing.T, volumeMounts []v1.VolumeMount) {
+	rootFalcoFS := v1.VolumeMount{
+		Name:      "root-falco-fs",
+		ReadOnly:  false,
+		MountPath: "/root/.falco",
+	}
+	require.Contains(t, volumeMounts, rootFalcoFS)
+
+	procFS := v1.VolumeMount{
+		Name:      "proc-fs",
+		ReadOnly:  true,
+		MountPath: "/host/proc",
+	}
+	require.Contains(t, volumeMounts, procFS)
+
+	bootFS := v1.VolumeMount{
+		Name:      "boot-fs",
+		ReadOnly:  true,
+		MountPath: "/host/boot",
+	}
+	require.Contains(t, volumeMounts, bootFS)
+
+	libModulesFS := v1.VolumeMount{
+		Name:      "lib-modules",
+		ReadOnly:  false,
+		MountPath: "/host/lib/modules",
+	}
+	require.Contains(t, volumeMounts, libModulesFS)
+
+	usrFS := v1.VolumeMount{
+		Name:      "usr-fs",
+		ReadOnly:  true,
+		MountPath: "/host/usr",
+	}
+	require.Contains(t, volumeMounts, usrFS)
+
+	etcFS := v1.VolumeMount{
+		Name:      "etc-fs",
+		ReadOnly:  true,
+		MountPath: "/host/etc",
+	}
+	require.Contains(t, volumeMounts, etcFS)
+
+	specializedFalcoConfigs := v1.VolumeMount{
+		Name:      "specialized-falco-configs",
+		ReadOnly:  false,
+		MountPath: "/etc/falco/config.d",
+	}
+	require.Contains(t, volumeMounts, specializedFalcoConfigs)
+}