From b2e8d8701fa7e61fe2f2a9fd5c139acd0d9696d6 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Tue, 10 Sep 2024 17:08:01 +0200 Subject: [PATCH 01/10] :wrench: Add possibility to add annotations to the metrics service Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 2 ++ charts/falco/values.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index d2093ec2..2f4c5fc1 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -7,6 +7,8 @@ metadata: labels: {{- include "falco.labels" . | nindent 4 }} type: "falco-metrics" + annotations: + {{- include ".Values.metrics.service.annotations" . | nindent 4 }} spec: type: {{ .Values.metrics.service.type }} ports: diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index bd8f2a61..d7d55ac4 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -248,6 +248,8 @@ metrics: # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible # from within the cluster. type: ClusterIP + # -- annotations to add to the service. + annotations: {} # -- ports denotes all the ports on which the Service will listen. ports: # -- metrics denotes a listening service named "metrics". From 69a220732c4e58a0d8ac6dff98cce55a7e7f3f73 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Wed, 11 Sep 2024 15:03:50 +0200 Subject: [PATCH 02/10] :wrench: Resolving conflicts Signed-off-by: afreyermuth98 --- charts/falco/CHANGELOG.md | 1 + charts/falco/README.md | 6 ++++-- charts/falco/templates/service.yaml | 1 + charts/falco/values.yaml | 2 ++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index 1a8a605d..f207df03 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -16,6 +16,7 @@ numbering uses [semantic versioning](http://semver.org). exists under /sys/module only when the kernel module is loaded, hence it's not possible to use the /sys/module/falco hostpath when driver.kind is set to auto. +* feat(falco): add labels and annotations to the metrics service ## v4.8.1 diff --git a/charts/falco/README.md b/charts/falco/README.md index 92d8c013..1df59c08 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -740,7 +740,7 @@ The following table lists the main configurable parameters of the falco chart v4 | image.repository | string | `"falcosecurity/falco-no-driver"` | The image repository to pull from | | image.tag | string | `""` | The image tag to pull. Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secrets containing credentials when pulling from private/secure registries. | -| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | +| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | | metrics.convertMemoryToMB | bool | `true` | convertMemoryToMB specifies whether the memory should be converted to mb. | | metrics.enabled | bool | `false` | enabled specifies whether the metrics should be enabled. | | metrics.includeEmptyValues | bool | `false` | includeEmptyValues specifies whether the empty values should be included in the metrics. | @@ -749,8 +749,10 @@ The following table lists the main configurable parameters of the falco chart v4 | metrics.outputRule | bool | `false` | outputRule enables seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. | | metrics.resourceUtilizationEnabled | bool | `true` | resourceUtilizationEnabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. | | metrics.rulesCountersEnabled | bool | `true` | rulesCountersEnabled specifies whether the counts for each rule should be emitted. | -| metrics.service | object | `{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service | object | `{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service.annotations | object | `{}` | annotations to add to the service. | | metrics.service.create | bool | `true` | create specifies whether a service should be created. | +| metrics.service.labels | object | `{}` | labels to add to the service. | | metrics.service.ports | object | `{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}}` | ports denotes all the ports on which the Service will listen. | | metrics.service.ports.metrics | object | `{"port":8765,"protocol":"TCP","targetPort":8765}` | metrics denotes a listening service named "metrics". | | metrics.service.ports.metrics.port | int | `8765` | port is the port on which the Service will listen. | diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index 2f4c5fc1..19e8313a 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -6,6 +6,7 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} + {{- include ".Values.metrics.service.labels" . | nindent 4 }} type: "falco-metrics" annotations: {{- include ".Values.metrics.service.annotations" . | nindent 4 }} diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index d7d55ac4..1e006825 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -248,6 +248,8 @@ metrics: # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible # from within the cluster. type: ClusterIP + # -- labels to add to the service. + labels: {} # -- annotations to add to the service. annotations: {} # -- ports denotes all the ports on which the Service will listen. From 8198472339ccb7d02a4d5a66b32f54d9b13aacf7 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Tue, 10 Sep 2024 18:33:45 +0200 Subject: [PATCH 03/10] :bug: Fixing CI Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index 19e8313a..83118b96 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -6,10 +6,10 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} - {{- include ".Values.metrics.service.labels" . | nindent 4 }} + {{ toYaml Values.metrics.service.labels | nindent 4 }} type: "falco-metrics" annotations: - {{- include ".Values.metrics.service.annotations" . | nindent 4 }} + {{ toYaml .Values.metrics.service.annotations | nindent 4 }} spec: type: {{ .Values.metrics.service.type }} ports: From c10e80c9178235300a4e2155f8e4b67b3a8ab149 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Wed, 11 Sep 2024 09:43:59 +0200 Subject: [PATCH 04/10] :bug: Missing dot before Values Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index 83118b96..dee7a670 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} - {{ toYaml Values.metrics.service.labels | nindent 4 }} + {{ toYaml .Values.metrics.service.labels | nindent 4 }} type: "falco-metrics" annotations: {{ toYaml .Values.metrics.service.annotations | nindent 4 }} From 2e510c54d6f0d488a57973ed4cdd26f0bfdbcded Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Wed, 11 Sep 2024 16:41:47 +0200 Subject: [PATCH 05/10] :arrow_up: Bump to 4.8.3 Signed-off-by: afreyermuth98 --- charts/falco/CHANGELOG.md | 5 ++++- charts/falco/Chart.yaml | 2 +- charts/falco/README.md | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index f207df03..fd2ac5b1 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -3,6 +3,10 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.8.3 + +* feat(falco): add labels and annotations to the metrics service + ## v4.8.2 * fix(falco): correctly mount host filesystems when driver.kind is auto @@ -16,7 +20,6 @@ numbering uses [semantic versioning](http://semver.org). exists under /sys/module only when the kernel module is loaded, hence it's not possible to use the /sys/module/falco hostpath when driver.kind is set to auto. -* feat(falco): add labels and annotations to the metrics service ## v4.8.1 diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 734ce0c4..319c3ab2 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: falco -version: 4.8.2 +version: 4.8.3 appVersion: "0.38.2" description: Falco keywords: diff --git a/charts/falco/README.md b/charts/falco/README.md index 1df59c08..ed05efef 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.8.2 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.8.3 and their default values. See [values.yaml](./values.yaml) for full list. ## Values From b82dfcc295124c2c5d510a854c23e340aaf38ca0 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Wed, 11 Sep 2024 16:45:53 +0200 Subject: [PATCH 06/10] :bug: Removed extra space Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index dee7a670..4fb5e687 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -9,7 +9,7 @@ metadata: {{ toYaml .Values.metrics.service.labels | nindent 4 }} type: "falco-metrics" annotations: - {{ toYaml .Values.metrics.service.annotations | nindent 4 }} + {{ toYaml .Values.metrics.service.annotations | nindent 4 }} spec: type: {{ .Values.metrics.service.type }} ports: From 1198f04099442efc69352027ea27e0cea5c8cbca Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Fri, 13 Sep 2024 11:05:57 +0200 Subject: [PATCH 07/10] :wrench: Reviews Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index 4fb5e687..f3084d8e 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -6,10 +6,14 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} + {{- with toYaml .Values.metrics.service.labels }} {{ toYaml .Values.metrics.service.labels | nindent 4 }} + {{- end }} type: "falco-metrics" + {{- with toYaml .Values.metrics.service.annotations }} annotations: {{ toYaml .Values.metrics.service.annotations | nindent 4 }} + {{- end }} spec: type: {{ .Values.metrics.service.type }} ports: From d4dc38c13788783e6e3bec7935b2079186b846f7 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Fri, 13 Sep 2024 11:13:48 +0200 Subject: [PATCH 08/10] :bug: Extra toYaml Signed-off-by: afreyermuth98 --- charts/falco/templates/service.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/falco/templates/service.yaml b/charts/falco/templates/service.yaml index f3084d8e..a45c903d 100644 --- a/charts/falco/templates/service.yaml +++ b/charts/falco/templates/service.yaml @@ -6,11 +6,11 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} - {{- with toYaml .Values.metrics.service.labels }} + {{- with .Values.metrics.service.labels }} {{ toYaml .Values.metrics.service.labels | nindent 4 }} {{- end }} type: "falco-metrics" - {{- with toYaml .Values.metrics.service.annotations }} + {{- with .Values.metrics.service.annotations }} annotations: {{ toYaml .Values.metrics.service.annotations | nindent 4 }} {{- end }} From ab43d47bf0034713968ab51391c46632fa9b4ecf Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Fri, 13 Sep 2024 16:56:25 +0200 Subject: [PATCH 09/10] :wrench: Working on tests Signed-off-by: afreyermuth98 --- .../falco/tests/unit/serviceTemplate_test.go | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 charts/falco/tests/unit/serviceTemplate_test.go diff --git a/charts/falco/tests/unit/serviceTemplate_test.go b/charts/falco/tests/unit/serviceTemplate_test.go new file mode 100644 index 00000000..1252216d --- /dev/null +++ b/charts/falco/tests/unit/serviceTemplate_test.go @@ -0,0 +1,74 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "encoding/json" + "path/filepath" + "reflect" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + corev1 "k8s.io/api/core/v1" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" +) + +type serviceTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "falco-test", + namespace: "falco-namespace-test", + templates: []string{"templates/service.yaml"}, + }) +} + +func (s *serviceTemplateTest) TestCreationDefaultValues() { + // Render the service and check that it has not been rendered. + _, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) +} + + +func (s *serviceTemplateTest) TestDefaultLabelsValues() { + // Render the service and check that it has not been rendered. + output, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) + + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + s.Equal("falco", svc.Metadata.Labels["app.kubernetes.io/name"]) + s.Equal("Helm", svc.Metadata.Labels["app.kubernetes.io/managed-by"]) + s.Equal("0.38.2", svc.Metadata.Labels["app.kubernetes.io/version"]) + s.Equal("falco-4.8.1", svc.Metadata.Labels["helm.sh/chart"]) + s.Equal("falco-metrics", svc.Metadata.Labels["type"]) +} From 01287e3e97f9d18b6c5d8699c19ae52b22555154 Mon Sep 17 00:00:00 2001 From: afreyermuth98 Date: Fri, 13 Sep 2024 18:22:15 +0200 Subject: [PATCH 10/10] :wrench: Reviews Signed-off-by: afreyermuth98 --- .../falco/tests/unit/serviceTemplate_test.go | 71 +++++++++++++++++-- 1 file changed, 65 insertions(+), 6 deletions(-) diff --git a/charts/falco/tests/unit/serviceTemplate_test.go b/charts/falco/tests/unit/serviceTemplate_test.go index 1252216d..1f76bcd2 100644 --- a/charts/falco/tests/unit/serviceTemplate_test.go +++ b/charts/falco/tests/unit/serviceTemplate_test.go @@ -57,18 +57,77 @@ func (s *serviceTemplateTest) TestCreationDefaultValues() { s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) } - func (s *serviceTemplateTest) TestDefaultLabelsValues() { // Render the service and check that it has not been rendered. output, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) s.Error(err, "should error") s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + } var svc corev1.Service helm.UnmarshalK8SYaml(s.T(), output, &svc) - s.Equal("falco", svc.Metadata.Labels["app.kubernetes.io/name"]) - s.Equal("Helm", svc.Metadata.Labels["app.kubernetes.io/managed-by"]) - s.Equal("0.38.2", svc.Metadata.Labels["app.kubernetes.io/version"]) - s.Equal("falco-4.8.1", svc.Metadata.Labels["helm.sh/chart"]) - s.Equal("falco-metrics", svc.Metadata.Labels["type"]) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } } + + +func (s *serviceTemplateTest) TestCustomLabelsValues() { + // Render the service and check that it has not been rendered. + options := &helm.Options{SetValues: map[string]string{"metrics.service.labels" : {"custom-label": "falco-label"}}} + output, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) + + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + } + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + s.Equal("falco-label", labels["custom-label"]) +} \ No newline at end of file