diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b68c6d9e4..522171a70 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: helm repo add falcosecurity https://falcosecurity.github.io/charts - name: Run chart-releaser - uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0 + uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 with: charts_dir: charts config: cr.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 94cc8728e..236c5e623 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,7 +22,7 @@ jobs: python-version: '3.x' - name: Set up chart-testing - uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 + uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0 - name: Run chart-testing (lint) run: ct lint --config ct.yaml @@ -75,7 +75,7 @@ jobs: run: helm dependency update ./charts/falco - name: Setup Go - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0 with: go-version: '1.21' check-latest: true diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index 9ca813aa4..64f825bee 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -2,6 +2,13 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.17.2 + +* update(falco): add ports definition in falco container spec + +## v4.17.1 + +* docs(falco): update README.md to reflect latest driver configuration and correct broken links ## v4.17.0 @@ -328,7 +335,7 @@ The new chart introduces some breaking changes. For folks upgrading Falco please ## v3.3.0 * Upgrade Falco to 0.35.1. For more info see the release notes: https://github.com/falcosecurity/falco/releases/tag/0.35.1 * Upgrade falcoctl to 0.5.1. For more info see the release notes: https://github.com/falcosecurity/falcoctl/releases/tag/v0.5.1 -* Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 +* Introduce least privileged mode in modern ebpf. For more info see: https://falco.org/docs/setup/container/#docker-least-privileged-modern-ebpf ## v3.2.1 * Set falco.http_output.url to empty string in values.yaml file diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index a8be9c46a..14de30373 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: falco -version: 4.17.0 +version: 4.17.2 appVersion: "0.39.2" description: Falco keywords: diff --git a/charts/falco/README.gotmpl b/charts/falco/README.gotmpl index d3a471b0d..02f10d9c5 100644 --- a/charts/falco/README.gotmpl +++ b/charts/falco/README.gotmpl @@ -53,11 +53,12 @@ Note that **a Falco instance can handle multiple event sources in parallel**. yo Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: -* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) -* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) -* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) +* [Kernel module](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) +* [Legacy eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) + +The driver must be loaded on the node where Falco is running. Falco now prefers the **Modern eBPF probe** by default. When using **falcoctl** with `driver.kind=auto`, it will automatically choose the best driver for your system. Specifically, it first attempts to use the Modern eBPF probe (which is shipped directly within the Falco binary) and will fall back to the _kernel module_ or the _original eBPF probe_ if the necessary BPF features are not available. -The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). ##### Pre-built drivers @@ -146,20 +147,24 @@ After the clarification of the different [**event sources**](#falco-event-source The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. #### Daemonset -When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. +When using the [drivers](#about-the-driver), Falco is typically deployed as a `DaemonSet`. By using a DaemonSet, Kubernetes ensures that a Falco instance is running on each node even as new nodes are added to your cluster. This makes it a perfect fit for monitoring across the entire cluster. + +By default, with `driver.kind=auto`, the correct driver will will be automatically selected for each node. This is accomplished through the **driver loader** (implemented by `falcoctl`), which generates a new Falco configuration file and picks the right engine driver (Modern eBPF, kmod, or legacy eBPF) based on the underlying environment. If you prefer to manually force a specific driver, see the other available options below. **Kernel module** -To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +To run Falco with the [eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) you just need to set `driver.kind=kmod` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco + --set driver.kind=kmod ``` -**eBPF probe** +**Legacy eBPF probe** -To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: +To run Falco with the [eBPF probe](http://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -177,9 +182,9 @@ helm install falco falcosecurity/falco \ -f "path-to-custom-values.yaml-file" ``` -**modern eBPF probe** +**Modern eBPF probe** -To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: +To run Falco with the [modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ diff --git a/charts/falco/README.md b/charts/falco/README.md index d47e29f30..8b340c5f1 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -53,11 +53,11 @@ Note that **a Falco instance can handle multiple event sources in parallel**. yo Falco needs a **driver** to analyze the system workload and pass security events to userspace. The supported drivers are: -* [Kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) -* [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) -* [Modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe) +* [Modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) +* [Kernel module](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) +* [Legacy eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) -The driver should be installed on the node where Falco is running. The _kernel module_ (default option) and the _eBPF probe_ are installed on the node through an *init container* (i.e. `falco-driver-loader`) that tries download a prebuilt driver or build it on-the-fly as a fallback. The _Modern eBPF probe_ doesn't require an init container because it is shipped directly into the Falco binary. However, the _Modern eBPF probe_ requires [recent BPF features](https://falco.org/docs/event-sources/kernel/#modern-ebpf-probe). +The driver must be loaded on the node where Falco is running. Falco now prefers the **Modern eBPF probe** by default. When using **falcoctl** with `driver.kind=auto`, it will automatically choose the best driver for your system. Specifically, it first attempts to use the Modern eBPF probe (which is shipped directly within the Falco binary) and will fall back to the _kernel module_ or the _original eBPF probe_ if the necessary BPF features are not available. ##### Pre-built drivers @@ -146,20 +146,24 @@ After the clarification of the different [**event sources**](#falco-event-source The chart deploys Falco using a `daemonset` or a `deployment` depending on the **event sources**. #### Daemonset -When using the [drivers](#about-the-driver), Falco is deployed as `daemonset`. By using a `daemonset`, k8s assures that a Falco instance will be running in each of our nodes even when we add new nodes to our cluster. So it is the perfect match when we need to monitor all the nodes in our cluster. +When using the [drivers](#about-the-driver), Falco is typically deployed as a `DaemonSet`. By using a DaemonSet, Kubernetes ensures that a Falco instance is running on each node even as new nodes are added to your cluster. This makes it a perfect fit for monitoring across the entire cluster. + +By default, with `driver.kind=auto`, the correct driver will will be automatically selected for each node. This is accomplished through the **driver loader** (implemented by `falcoctl`), which generates a new Falco configuration file and picks the right engine driver (Modern eBPF, kmod, or legacy eBPF) based on the underlying environment. If you prefer to manually force a specific driver, see the other available options below. **Kernel module** -To run Falco with the [kernel module](https://falco.org/docs/event-sources/drivers/#kernel-module) you can use the default values of the helm chart: + +To run Falco with the [eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#kernel-module) you just need to set `driver.kind=kmod` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ --create-namespace \ --namespace falco + --set driver.kind=kmod ``` -**eBPF probe** +**Legacy eBPF probe** -To run Falco with the [eBPF probe](https://falco.org/docs/event-sources/drivers/#ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: +To run Falco with the [eBPF probe](http://falco.org/docs/concepts/event-sources/kernel/#legacy-ebpf-probe) you just need to set `driver.kind=ebpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -177,9 +181,9 @@ helm install falco falcosecurity/falco \ -f "path-to-custom-values.yaml-file" ``` -**modern eBPF probe** +**Modern eBPF probe** -To run Falco with the [modern eBPF probe](https://falco.org/docs/event-sources/drivers/#modern-ebpf-probe-experimental) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: +To run Falco with the [modern eBPF probe](https://falco.org/docs/concepts/event-sources/kernel/#modern-ebpf-probe) you just need to set `driver.kind=modern_bpf` as shown in the following snippet: ```bash helm install falco falcosecurity/falco \ @@ -581,7 +585,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.17.0 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.17.2 and their default values. See [values.yaml](./values.yaml) for full list. ## Values @@ -618,7 +622,7 @@ The following table lists the main configurable parameters of the falco chart v4 | driver.ebpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | | driver.ebpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | | driver.ebpf.hostNetwork | bool | `false` | Needed to enable eBPF JIT at runtime for performance reasons. Can be skipped if eBPF JIT is enabled from outside the container | -| driver.ebpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 | +| driver.ebpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the eBPF driver is enabled (i.e., setting the `driver.kind` option to `ebpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe | | driver.ebpf.path | string | `"${HOME}/.falco/falco-bpf.o"` | path where the eBPF probe is located. It comes handy when the probe have been installed in the nodes using tools other than the init container deployed with the chart. | | driver.enabled | bool | `true` | Set it to false if you want to deploy Falco without the drivers. Always set it to false when using Falco with plugins. | | driver.gvisor | object | `{"runsc":{"config":"/run/containerd/runsc/config.toml","path":"/home/containerd/usr/local/sbin","root":"/run/containerd/runsc"}}` | Gvisor configuration. Based on your system you need to set the appropriate values. Please, remember to add pod tolerations and affinities in order to schedule the Falco pods in the gVisor enabled nodes. | @@ -642,7 +646,7 @@ The following table lists the main configurable parameters of the falco chart v4 | driver.modernEbpf.bufSizePreset | int | `4` | bufSizePreset determines the size of the shared space between Falco and its drivers. This shared space serves as a temporary storage for syscall events. | | driver.modernEbpf.cpusForEachBuffer | int | `2` | cpusForEachBuffer is the index that controls how many CPUs to assign to a single syscall buffer. | | driver.modernEbpf.dropFailedExit | bool | `false` | dropFailedExit if set true drops failed system call exit events before pushing them to userspace. | -| driver.modernEbpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 | +| driver.modernEbpf.leastPrivileged | bool | `false` | Constrain Falco with capabilities instead of running a privileged container. Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe | | extra.args | list | `[]` | Extra command-line arguments. | | extra.env | list | `[]` | Extra environment variables that will be pass onto Falco containers. | | extra.initContainers | list | `[]` | Additional initContainers for Falco pods. | diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index aa7eb3470..19b06b60a 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -109,6 +109,10 @@ spec: {{- end }} tty: {{ .Values.tty }} {{- if .Values.falco.webserver.enabled }} + ports: + - containerPort: {{ .Values.falco.webserver.listen_port }} + name: web + protocol: TCP livenessProbe: initialDelaySeconds: {{ .Values.healthChecks.livenessProbe.initialDelaySeconds }} timeoutSeconds: {{ .Values.healthChecks.livenessProbe.timeoutSeconds }} diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index c73f6b6d1..50bc16b74 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -299,7 +299,7 @@ driver: # Capabilities used: {CAP_SYS_RESOURCE, CAP_SYS_ADMIN, CAP_SYS_PTRACE}. # On kernel versions >= 5.8 'CAP_PERFMON' and 'CAP_BPF' could replace 'CAP_SYS_ADMIN' but please pay attention to the 'kernel.perf_event_paranoid' value on your system. # Usually 'kernel.perf_event_paranoid>2' means that you cannot use 'CAP_PERFMON' and you should fallback to 'CAP_SYS_ADMIN', but the behavior changes across different distros. - # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-1 + # Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe leastPrivileged: false # -- bufSizePreset determines the size of the shared space between Falco and its drivers. # This shared space serves as a temporary storage for syscall events. @@ -310,7 +310,7 @@ driver: # -- Constrain Falco with capabilities instead of running a privileged container. # Ensure the modern bpf driver is enabled (i.e., setting the `driver.kind` option to `modern-bpf`). # Capabilities used: {CAP_SYS_RESOURCE, CAP_BPF, CAP_PERFMON, CAP_SYS_PTRACE}. - # Read more on that here: https://falco.org/docs/event-sources/kernel/#least-privileged-mode-2 + # Read more on that here: https://falco.org/docs/setup/container/#docker-least-privileged-ebpf-probe leastPrivileged: false # -- bufSizePreset determines the size of the shared space between Falco and its drivers. # This shared space serves as a temporary storage for syscall events. @@ -410,7 +410,6 @@ collectors: # The path used here must not have a final '/'. hostProc: /host - ########################### # Extras and customization # ############################ @@ -522,8 +521,8 @@ falcoctl: # -- List of indexes that falcoctl downloads and uses to locate and download artiafcts. For more info see: # https://github.com/falcosecurity/falcoctl/blob/main/proposals/20220916-rules-and-plugin-distribution.md#index-file-overview indexes: - - name: falcosecurity - url: https://falcosecurity.github.io/falcoctl/index.yaml + - name: falcosecurity + url: https://falcosecurity.github.io/falcoctl/index.yaml # -- Configuration used by the artifact commands. artifact: # -- List of artifact types that falcoctl will handle. If the configured refs resolves to an artifact whose type is not contained @@ -578,7 +577,8 @@ serviceMonitor: # scraping metrics from a service. It allows you to define the details of the TLS connection, such as # CA certificate, client certificate, and client key. Currently, the k8s-metacollector does not support # TLS configuration for the metrics endpoint. - tlsConfig: {} + tlsConfig: + {} # insecureSkipVerify: false # caFile: /path/to/ca.crt # certFile: /path/to/client.crt @@ -704,7 +704,6 @@ falco: rule_matching: first - # [Incubating] `outputs_queue` # # -- Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter @@ -726,7 +725,6 @@ falco: outputs_queue: capacity: 0 - ################# # Falco plugins # ################# @@ -920,7 +918,6 @@ falco: # environment variable $HOME, and "evt.hostname" which will contain the hostname. append_output: [] - ########################## # Falco outputs channels # ########################## @@ -1412,7 +1409,6 @@ falco: include_empty_values: false kernel_event_counters_per_cpu_enabled: false - ####################################### # Falco performance tuning (advanced) # ####################################### @@ -1532,7 +1528,6 @@ falco: custom_set: [] repair: false - ############## # Falco libs # ############## diff --git a/go.mod b/go.mod index c79598c6a..47bec43f1 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/urfave/cli v1.22.2 // indirect golang.org/x/crypto v0.31.0 // indirect - golang.org/x/net v0.23.0 // indirect + golang.org/x/net v0.33.0 // indirect golang.org/x/oauth2 v0.8.0 // indirect golang.org/x/sys v0.28.0 // indirect golang.org/x/term v0.27.0 // indirect diff --git a/go.sum b/go.sum index 265bd70a2..53a16460f 100644 --- a/go.sum +++ b/go.sum @@ -148,8 +148,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I= +golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=