Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Falco 0.39.0 #739

Merged
merged 5 commits into from
Oct 1, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions charts/falco/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,23 @@
This file documents all notable changes to Falco Helm Chart. The release
numbering uses [semantic versioning](http://semver.org).

## v4.9.0
* Bump Falco to v0.39.0
* update(falco): add new configuration entries for Falco
This commit adds new config keys introduces in Falco 0.39.0.
Furthermore, updates the unit tests for the latest changes
in the values.yaml.
* cleanup(falco): remove deprecated falco configuration
This commit removes the "output" config key that has
been deprecated in falco.
* update(falco): mount proc filesystem for plugins
The following PR in libs https://github.com/falcosecurity/libs/pull/1969
introduces a new platform for plugins that requires access to the
proc filesystem.
* fix(falco): update broken link pointing to Falco docs
After the changes made by the following PR to the Falco docs https://github.com/falcosecurity/falco-website/pull/1362
this commit updates a broken link.

## v4.8.3

* The init container, when driver.kind=auto, automatically generates
Expand Down
4 changes: 2 additions & 2 deletions charts/falco/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: falco
version: 4.8.3
appVersion: "0.38.2"
version: 4.9.0
appVersion: "0.39.0"
description: Falco
keywords:
- monitoring
Expand Down
2 changes: 1 addition & 1 deletion charts/falco/README.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo
### Falco, Event Sources and Kubernetes
Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events).

Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources).
Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources).

#### About Drivers

Expand Down
15 changes: 8 additions & 7 deletions charts/falco/README.md

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions charts/falco/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -427,6 +427,7 @@ Based on the use input it populates the metrics configuration in the falco confi
{{- $_ = set .Values.falco.metrics "resource_utilization_enabled" .Values.metrics.resourceUtilizationEnabled -}}
{{- $_ = set .Values.falco.metrics "state_counters_enabled" .Values.metrics.stateCountersEnabled -}}
{{- $_ = set .Values.falco.metrics "kernel_event_counters_enabled" .Values.metrics.kernelEventCountersEnabled -}}
{{- $_ = set .Values.falco.metrics "kernel_event_counters_per_cpu_enabled" .Values.metrics.kernelEventCountersPerCPUEnabled -}}
{{- $_ = set .Values.falco.metrics "libbpf_stats_enabled" .Values.metrics.libbpfStatsEnabled -}}
{{- $_ = set .Values.falco.metrics "convert_memory_to_mb" .Values.metrics.convertMemoryToMB -}}
{{- $_ = set .Values.falco.metrics "include_empty_values" .Values.metrics.includeEmptyValues -}}
Expand Down
4 changes: 0 additions & 4 deletions charts/falco/templates/pod-template.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -135,10 +135,8 @@ spec:
{{- end }}
- mountPath: /root/.falco
name: root-falco-fs
{{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
- mountPath: /host/proc
name: proc-fs
{{- end }}
{{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }}
readOnly: true
- mountPath: /host/boot
Expand Down Expand Up @@ -289,11 +287,9 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }}
- name: proc-fs
hostPath:
path: /proc
{{- end }}
{{- if eq .Values.driver.kind "gvisor" }}
- name: runsc-path
hostPath:
Expand Down
51 changes: 28 additions & 23 deletions charts/falco/tests/unit/metricsConfig_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,17 @@ import (
)

type metricsConfig struct {
Enabled bool `yaml:"enabled"`
ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"`
IncludeEmptyValues bool `yaml:"include_empty_values"`
KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"`
ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"`
RulesCountersEnabled bool `yaml:"rules_counters_enabled"`
LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"`
OutputRule bool `yaml:"output_rule"`
StateCountersEnabled bool `yaml:"state_counters_enabled"`
Interval string `yaml:"interval"`
Enabled bool `yaml:"enabled"`
ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"`
IncludeEmptyValues bool `yaml:"include_empty_values"`
KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"`
KernelEventCountersPerCPUEnabled bool `yaml:"kernel_event_counters_per_cpu_enabled"`
ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"`
RulesCountersEnabled bool `yaml:"rules_counters_enabled"`
LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"`
OutputRule bool `yaml:"output_rule"`
StateCountersEnabled bool `yaml:"state_counters_enabled"`
Interval string `yaml:"interval"`
}

type webServerConfig struct {
Expand Down Expand Up @@ -63,7 +64,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
"defaultValues",
nil,
func(t *testing.T, metricsConfig, webServerConfig any) {
require.Len(t, metricsConfig, 10, "should have ten items")
require.Len(t, metricsConfig, 11, "should have ten items")

metrics, err := getMetricsConfig(metricsConfig)
require.NoError(t, err)
Expand All @@ -78,6 +79,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
require.True(t, metrics.LibbpfStatsEnabled)
require.True(t, metrics.OutputRule)
require.True(t, metrics.StateCountersEnabled)
require.False(t, metrics.KernelEventCountersPerCPUEnabled)

webServer, err := getWebServerConfig(webServerConfig)
require.NoError(t, err)
Expand All @@ -92,7 +94,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
"metrics.enabled": "true",
},
func(t *testing.T, metricsConfig, webServerConfig any) {
require.Len(t, metricsConfig, 10, "should have ten items")
require.Len(t, metricsConfig, 11, "should have ten items")

metrics, err := getMetricsConfig(metricsConfig)
require.NoError(t, err)
Expand All @@ -107,6 +109,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
require.True(t, metrics.LibbpfStatsEnabled)
require.False(t, metrics.OutputRule)
require.True(t, metrics.StateCountersEnabled)
require.False(t, metrics.KernelEventCountersPerCPUEnabled)

webServer, err := getWebServerConfig(webServerConfig)
require.NoError(t, err)
Expand All @@ -118,19 +121,20 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
{
"Flip/Change Values",
map[string]string{
"metrics.enabled": "true",
"metrics.convertMemoryToMB": "false",
"metrics.includeEmptyValues": "true",
"metrics.kernelEventCountersEnabled": "false",
"metrics.resourceUtilizationEnabled": "false",
"metrics.rulesCountersEnabled": "false",
"metrics.libbpfStatsEnabled": "false",
"metrics.outputRule": "false",
"metrics.stateCountersEnabled": "false",
"metrics.interval": "1s",
"metrics.enabled": "true",
"metrics.convertMemoryToMB": "false",
"metrics.includeEmptyValues": "true",
"metrics.kernelEventCountersEnabled": "false",
"metrics.resourceUtilizationEnabled": "false",
"metrics.rulesCountersEnabled": "false",
"metrics.libbpfStatsEnabled": "false",
"metrics.outputRule": "false",
"metrics.stateCountersEnabled": "false",
"metrics.interval": "1s",
"metrics.kernelEventCountersPerCPUEnabled": "true",
},
func(t *testing.T, metricsConfig, webServerConfig any) {
require.Len(t, metricsConfig, 10, "should have ten items")
require.Len(t, metricsConfig, 11, "should have ten items")

metrics, err := getMetricsConfig(metricsConfig)
require.NoError(t, err)
Expand All @@ -145,6 +149,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) {
require.False(t, metrics.LibbpfStatsEnabled)
require.False(t, metrics.OutputRule)
require.False(t, metrics.StateCountersEnabled)
require.True(t, metrics.KernelEventCountersPerCPUEnabled)

webServer, err := getWebServerConfig(webServerConfig)
require.NoError(t, err)
Expand Down
80 changes: 56 additions & 24 deletions charts/falco/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,8 @@ metrics:
convertMemoryToMB: true
# -- includeEmptyValues specifies whether the empty values should be included in the metrics.
includeEmptyValues: false
# -- kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled.
kernelEventCountersPerCPUEnabled: false
# -- service exposes the metrics service to be accessed from within the cluster.
# ref: https://kubernetes.io/docs/concepts/services-networking/service/
service:
Expand All @@ -265,8 +267,6 @@ mounts:
volumes: []
# -- A list of volumes you want to add to the Falco pods.
volumeMounts: []
# -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins).
enforceProcMount: false

# Driver settings (scenario requirement)
driver:
Expand Down Expand Up @@ -471,7 +471,7 @@ falcoctl:
# -- The image repository to pull from.
repository: falcosecurity/falcoctl
# -- The image tag to pull.
tag: "0.9.0"
tag: "0.10.0"
artifact:
# -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before
# Falco starts. It provides them to Falco by using an emptyDir volume.
Expand Down Expand Up @@ -834,37 +834,65 @@ falco:
# be added at a later stage, it is recommended to turn it off.
json_include_tags_property: true

# [Incubating] `json_include_message_property`
#
# When using JSON output in Falco, you have the option to include the formatted
# rule output without timestamp or priority. For instance, if a rule specifies
# an "output" property like "Opened process %proc.name" the "message" field will
# only contain "Opened process bash" whereas the "output" field will contain more
# information.
json_include_message_property: false

# [Stable] `buffered_outputs`
#
# -- Enabling buffering for the output queue can offer performance optimization,
# efficient resource usage, and smoother data flow, resulting in a more reliable
# output mechanism. By default, buffering is disabled (false).
buffered_outputs: false

# [Stable] `outputs`
#
# -- A throttling mechanism, implemented as a token bucket, can be used to control
# the rate of Falco outputs. Each event source has its own rate limiter,
# ensuring that alerts from one source do not affect the throttling of others.
# The following options control the mechanism:
# - rate: the number of tokens (i.e. right to send a notification) gained per
# second. When 0, the throttling mechanism is disabled. Defaults to 0.
# - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
# [Sandbox] `append_output`
#
# Add information to the Falco output.
# With this setting you can add more information to the Falco output message, customizable by
# rule, tag or source.
# You can also add additional data that will appear in the output_fields property
# of JSON formatted messages or gRPC output but will not be part of the regular output message.
# This allows you to add custom fields that can help you filter your Falco events without
# polluting the message text.
#
# Each append_output entry has an optional `match` map which specifies which rules will be
# affected.
# `match`:
# `rule`: append output only to a specific rule
# `source`: append output only to a specific source
# `tags`: append output only to rules that have all of the specified tags
# If none of the above are specified (or `match` is omitted)
# output is appended to all events.
# If more than one match condition is specified output will be appended to events
# that match all conditions.
# And several options to add output:
# `extra_output`: add output to the Falco message
# `extra_fields`: add new fields to the JSON output and structured output, which will not
# affect the regular Falco message in any way. These can be specified as a
# custom name with a custom format or as any supported field
# (see: https://falco.org/docs/reference/rules/supported-fields/)
#
# For example, setting the rate to 1 allows Falco to send up to 1000
# notifications initially, followed by 1 notification per second. The burst
# capacity is fully restored after 1000 seconds of no activity.
# Example:
#
# Throttling can be useful in various scenarios, such as preventing notification
# floods, managing system load, controlling event processing, or complying with
# rate limits imposed by external systems or APIs. It allows for better resource
# utilization, avoids overwhelming downstream systems, and helps maintain a
# balanced and controlled flow of notifications.
# append_output:
# - match:
# source: syscall
# extra_output: "on CPU %evt.cpu"
# extra_fields:
# - home_directory: "${HOME}"
# - evt.hostname
#
# With the default settings, the throttling mechanism is disabled.
outputs:
rate: 0
max_burst: 1000
# In the example above every event coming from the syscall source will get an extra message
# at the end telling the CPU number. In addition, if `json_output` is true, in the "output_fields"
# property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the
# environment variable $HOME, and "evt.hostname" which will contain the hostname.
append_output: []


##########################
# Falco outputs channels #
Expand Down Expand Up @@ -1323,6 +1351,9 @@ falco:
# counters reflect monotonic values since Falco's start and are exported at a
# constant stats interval.
#
# `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters
# per CPU. Typically used when debugging and not in production.
#
# `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`,
# providing information such as the number of invocations of each BPF program
# attached by Falco and the time spent in each program measured in nanoseconds.
Expand Down Expand Up @@ -1352,6 +1383,7 @@ falco:
libbpf_stats_enabled: true
convert_memory_to_mb: true
include_empty_values: false
kernel_event_counters_per_cpu_enabled: false


#######################################
Expand Down