WIP: Falco 0.39.0

charts/falco/CHANGELOG.md

@@ -3,6 +3,23 @@
 This file documents all notable changes to Falco Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## v4.9.0
+* Bump Falco to v0.39.0
+* update(falco): add new configuration entries for Falco
+  This commit adds new config keys introduces in Falco 0.39.0.
+  Furthermore, updates the unit tests for the latest changes
+  in the values.yaml.
+* cleanup(falco): remove deprecated falco configuration
+  This commit removes the "output" config key that has
+  been deprecated in falco.
+* update(falco): mount proc filesystem for plugins
+  The following PR in libs https://github.com/falcosecurity/libs/pull/1969
+  introduces a new platform for plugins that requires access to the
+  proc filesystem.
+* fix(falco): update broken link pointing to Falco docs
+  After the changes made by the following PR to the Falco docs https://github.com/falcosecurity/falco-website/pull/1362
+  this commit updates a broken link.
+
 ## v4.8.3
 
 * The init container, when driver.kind=auto, automatically generates

charts/falco/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: falco
-version: 4.8.3
-appVersion: "0.38.2"
+version: 4.9.0
+appVersion: "0.39.0-rc2"
 description: Falco
 keywords:
   - monitoring

charts/falco/README.gotmpl

@@ -47,7 +47,7 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo
 ### Falco, Event Sources and Kubernetes
 Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events).
 
-Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources).
+Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources).
 
 #### About Drivers
 

charts/falco/templates/_helpers.tpl

@@ -427,6 +427,7 @@ Based on the use input it populates the metrics configuration in the falco confi
 {{- $_ = set .Values.falco.metrics "resource_utilization_enabled" .Values.metrics.resourceUtilizationEnabled -}}
 {{- $_ = set .Values.falco.metrics "state_counters_enabled" .Values.metrics.stateCountersEnabled -}}
 {{- $_ = set .Values.falco.metrics "kernel_event_counters_enabled" .Values.metrics.kernelEventCountersEnabled -}}
+{{- $_ = set .Values.falco.metrics "kernel_event_counters_per_cpu_enabled" .Values.metrics.kernelEventCountersPerCPUEnabled -}}
 {{- $_ = set .Values.falco.metrics "libbpf_stats_enabled" .Values.metrics.libbpfStatsEnabled -}}
 {{- $_ = set .Values.falco.metrics "convert_memory_to_mb" .Values.metrics.convertMemoryToMB -}}
 {{- $_ = set .Values.falco.metrics "include_empty_values" .Values.metrics.includeEmptyValues -}}

charts/falco/templates/pod-template.tpl

@@ -135,10 +135,8 @@ spec:
       {{- end }}
         - mountPath: /root/.falco
           name: root-falco-fs
-        {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
         - mountPath: /host/proc
           name: proc-fs
-        {{- end }}
         {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }}
           readOnly: true
         - mountPath: /host/boot
@@ -289,11 +287,9 @@ spec:
     {{- end }}
     {{- end }}
     {{- end }}
-    {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
     - name: proc-fs
       hostPath:
         path: /proc
-    {{- end }}
     {{- if eq .Values.driver.kind "gvisor" }}
     - name: runsc-path
       hostPath:

charts/falco/tests/unit/metricsConfig_test.go

@@ -26,16 +26,17 @@ import (
 )
 
 type metricsConfig struct {
-	Enabled                    bool   `yaml:"enabled"`
-	ConvertMemoryToMB          bool   `yaml:"convert_memory_to_mb"`
-	IncludeEmptyValues         bool   `yaml:"include_empty_values"`
-	KernelEventCountersEnabled bool   `yaml:"kernel_event_counters_enabled"`
-	ResourceUtilizationEnabled bool   `yaml:"resource_utilization_enabled"`
-	RulesCountersEnabled       bool   `yaml:"rules_counters_enabled"`
-	LibbpfStatsEnabled         bool   `yaml:"libbpf_stats_enabled"`
-	OutputRule                 bool   `yaml:"output_rule"`
-	StateCountersEnabled       bool   `yaml:"state_counters_enabled"`
-	Interval                   string `yaml:"interval"`
+	Enabled                          bool   `yaml:"enabled"`
+	ConvertMemoryToMB                bool   `yaml:"convert_memory_to_mb"`
+	IncludeEmptyValues               bool   `yaml:"include_empty_values"`
+	KernelEventCountersEnabled       bool   `yaml:"kernel_event_counters_enabled"`
+	KernelEventCountersPerCPUEnabled bool   `yaml:"kernel_event_counters_per_cpu_enabled"`
+	ResourceUtilizationEnabled       bool   `yaml:"resource_utilization_enabled"`
+	RulesCountersEnabled             bool   `yaml:"rules_counters_enabled"`
+	LibbpfStatsEnabled               bool   `yaml:"libbpf_stats_enabled"`
+	OutputRule                       bool   `yaml:"output_rule"`
+	StateCountersEnabled             bool   `yaml:"state_counters_enabled"`
+	Interval                         string `yaml:"interval"`
 }
 
 type webServerConfig struct {
@@ -63,7 +64,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 			"defaultValues",
 			nil,
 			func(t *testing.T, metricsConfig, webServerConfig any) {
-				require.Len(t, metricsConfig, 10, "should have ten items")
+				require.Len(t, metricsConfig, 11, "should have ten items")
 
 				metrics, err := getMetricsConfig(metricsConfig)
 				require.NoError(t, err)
@@ -78,6 +79,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 				require.True(t, metrics.LibbpfStatsEnabled)
 				require.True(t, metrics.OutputRule)
 				require.True(t, metrics.StateCountersEnabled)
+				require.False(t, metrics.KernelEventCountersPerCPUEnabled)
 
 				webServer, err := getWebServerConfig(webServerConfig)
 				require.NoError(t, err)
@@ -92,7 +94,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 				"metrics.enabled": "true",
 			},
 			func(t *testing.T, metricsConfig, webServerConfig any) {
-				require.Len(t, metricsConfig, 10, "should have ten items")
+				require.Len(t, metricsConfig, 11, "should have ten items")
 
 				metrics, err := getMetricsConfig(metricsConfig)
 				require.NoError(t, err)
@@ -107,6 +109,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 				require.True(t, metrics.LibbpfStatsEnabled)
 				require.False(t, metrics.OutputRule)
 				require.True(t, metrics.StateCountersEnabled)
+				require.False(t, metrics.KernelEventCountersPerCPUEnabled)
 
 				webServer, err := getWebServerConfig(webServerConfig)
 				require.NoError(t, err)
@@ -118,19 +121,20 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 		{
 			"Flip/Change Values",
 			map[string]string{
-				"metrics.enabled":                    "true",
-				"metrics.convertMemoryToMB":          "false",
-				"metrics.includeEmptyValues":         "true",
-				"metrics.kernelEventCountersEnabled": "false",
-				"metrics.resourceUtilizationEnabled": "false",
-				"metrics.rulesCountersEnabled":       "false",
-				"metrics.libbpfStatsEnabled":         "false",
-				"metrics.outputRule":                 "false",
-				"metrics.stateCountersEnabled":       "false",
-				"metrics.interval":                   "1s",
+				"metrics.enabled":                          "true",
+				"metrics.convertMemoryToMB":                "false",
+				"metrics.includeEmptyValues":               "true",
+				"metrics.kernelEventCountersEnabled":       "false",
+				"metrics.resourceUtilizationEnabled":       "false",
+				"metrics.rulesCountersEnabled":             "false",
+				"metrics.libbpfStatsEnabled":               "false",
+				"metrics.outputRule":                       "false",
+				"metrics.stateCountersEnabled":             "false",
+				"metrics.interval":                         "1s",
+				"metrics.kernelEventCountersPerCPUEnabled": "true",
 			},
 			func(t *testing.T, metricsConfig, webServerConfig any) {
-				require.Len(t, metricsConfig, 10, "should have ten items")
+				require.Len(t, metricsConfig, 11, "should have ten items")
 
 				metrics, err := getMetricsConfig(metricsConfig)
 				require.NoError(t, err)
@@ -145,6 +149,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
 				require.False(t, metrics.LibbpfStatsEnabled)
 				require.False(t, metrics.OutputRule)
 				require.False(t, metrics.StateCountersEnabled)
+				require.True(t, metrics.KernelEventCountersPerCPUEnabled)
 
 				webServer, err := getWebServerConfig(webServerConfig)
 				require.NoError(t, err)

charts/falco/values.yaml

@@ -240,6 +240,8 @@ metrics:
   convertMemoryToMB: true
   # -- includeEmptyValues specifies whether the empty values should be included in the metrics.
   includeEmptyValues: false
+  # -- kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled.
+  kernelEventCountersPerCPUEnabled: false
   # -- service exposes the metrics service to be accessed from within the cluster.
   # ref: https://kubernetes.io/docs/concepts/services-networking/service/
   service:
@@ -265,8 +267,6 @@ mounts:
   volumes: []
   # -- A list of volumes you want to add to the Falco pods.
   volumeMounts: []
-  # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
-  enforceProcMount: false
 
 # Driver settings (scenario requirement)
 driver:
@@ -471,7 +471,7 @@ falcoctl:
     # -- The image repository to pull from.
     repository: falcosecurity/falcoctl
     # -- The image tag to pull.
-    tag: "0.9.0"
+    tag: "0.10.0"
   artifact:
     # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
     # Falco starts. It provides them to Falco by using an emptyDir volume.
@@ -834,37 +834,65 @@ falco:
   # be added at a later stage, it is recommended to turn it off.
   json_include_tags_property: true
 
+  # [Incubating] `json_include_message_property`
+  #
+  # When using JSON output in Falco, you have the option to include the formatted
+  # rule output without timestamp or priority. For instance, if a rule specifies
+  # an "output" property like "Opened process %proc.name" the "message" field will
+  # only contain "Opened process bash" whereas the "output" field will contain more
+  # information.
+  json_include_message_property: false
+
   # [Stable] `buffered_outputs`
   #
   # -- Enabling buffering for the output queue can offer performance optimization,
   # efficient resource usage, and smoother data flow, resulting in a more reliable
   # output mechanism. By default, buffering is disabled (false).
   buffered_outputs: false
 
-  # [Stable] `outputs`
-  #
-  # -- A throttling mechanism, implemented as a token bucket, can be used to control
-  # the rate of Falco outputs. Each event source has its own rate limiter,
-  # ensuring that alerts from one source do not affect the throttling of others.
-  # The following options control the mechanism:
-  #  - rate: the number of tokens (i.e. right to send a notification) gained per
-  #    second. When 0, the throttling mechanism is disabled. Defaults to 0.
-  #  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+  # [Sandbox] `append_output`
+  #
+  # Add information to the Falco output.
+  # With this setting you can add more information to the Falco output message, customizable by
+  # rule, tag or source.
+  # You can also add additional data that will appear in the output_fields property
+  # of JSON formatted messages or gRPC output but will not be part of the regular output message.
+  # This allows you to add custom fields that can help you filter your Falco events without
+  # polluting the message text.
+  #
+  # Each append_output entry has an optional `match` map which specifies which rules will be
+  # affected.
+  # `match`:
+  #   `rule`: append output only to a specific rule
+  #   `source`: append output only to a specific source
+  #   `tags`: append output only to rules that have all of the specified tags
+  # If none of the above are specified (or `match` is omitted)
+  # output is appended to all events.
+  # If more than one match condition is specified output will be appended to events
+  # that match all conditions.
+  # And several options to add output:
+  #   `extra_output`: add output to the Falco message
+  #   `extra_fields`: add new fields to the JSON output and structured output, which will not
+  #             affect the regular Falco message in any way. These can be specified as a
+  #             custom name with a custom format or as any supported field
+  #             (see: https://falco.org/docs/reference/rules/supported-fields/)
   #
-  # For example, setting the rate to 1 allows Falco to send up to 1000
-  # notifications initially, followed by 1 notification per second. The burst
-  # capacity is fully restored after 1000 seconds of no activity.
+  # Example:
   #
-  # Throttling can be useful in various scenarios, such as preventing notification
-  # floods, managing system load, controlling event processing, or complying with
-  # rate limits imposed by external systems or APIs. It allows for better resource
-  # utilization, avoids overwhelming downstream systems, and helps maintain a
-  # balanced and controlled flow of notifications.
+  # append_output:
+  #   - match:
+  #       source: syscall
+  #     extra_output: "on CPU %evt.cpu"
+  #     extra_fields:
+  #       - home_directory: "${HOME}"
+  #       - evt.hostname
   #
-  # With the default settings, the throttling mechanism is disabled.
-  outputs:
-    rate: 0
-    max_burst: 1000
+  # In the example above every event coming from the syscall source will get an extra message
+  # at the end telling the CPU number. In addition, if `json_output` is true, in the "output_fields"
+  # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
+  # environment variable $HOME, and "evt.hostname" which will contain the hostname.
+  append_output: []
+
 
   ##########################
   # Falco outputs channels #
@@ -1323,6 +1351,9 @@ falco:
   # counters reflect monotonic values since Falco's start and are exported at a
   # constant stats interval.
   #
+  # `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters
+  # per CPU. Typically used when debugging and not in production.
+  #
   # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`,
   # providing information such as the number of invocations of each BPF program
   # attached by Falco and the time spent in each program measured in nanoseconds.
@@ -1352,6 +1383,7 @@ falco:
     libbpf_stats_enabled: true
     convert_memory_to_mb: true
     include_empty_values: false
+    kernel_event_counters_per_cpu_enabled: false
 
 
   #######################################