New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new(falco): add rule selection configuration in falco.yaml #3178
base: master
Are you sure you want to change the base?
new(falco): add rule selection configuration in falco.yaml #3178
Conversation
This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped. Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION. /hold |
I guess this is a false positive. |
44e5736
to
59ea565
Compare
Signed-off-by: Luca Guerra <luca@guerra.sh>
Signed-off-by: Luca Guerra <luca@guerra.sh>
59ea565
to
495c7d5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: b3c5a8310099e8d4525e0d575604bb9213817734
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, LucaGuerra The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM
cc @jasondellaluce @FedeDP for a second look
@@ -177,6 +177,39 @@ rules_files: | |||
- /etc/falco/falco_rules.local.yaml | |||
- /etc/falco/rules.d | |||
|
|||
# [Experimental] `rules` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# [Experimental] `rules` | |
# [Incubating] `rules` |
As per the upcoming adoption policy, this should be labeled as "Incubating".
This is not a blocker for this PR (since we can change it later), but maybe it is worth starting using new labels.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree
As suggested by Andrea, i'd deprecate |
@@ -90,6 +90,13 @@ void falco_configuration::init(const std::vector<std::string>& cmdline_options) | |||
load_yaml("default"); | |||
} | |||
|
|||
void falco_configuration::init_from_content(const std::string& config_content, const std::vector<std::string>& cmdline_options) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd rather add the config_content=""
optional argument to the old init
method (the one above) instead of adding a completely new method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think they are both just used by tests anyway.
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
This is a rather straightforward implementation of #3174 (comment) . Essentially, it introduces two new ways of enabling/disabling rules without changing the rule files. Following the example:
This means: disable everything, enable all rules tagged
networking
, also enable the rule calledDirectory traversal monitored file
, then enable any rule matching the wildcard patternk8s_*
and disablek8s_noisy_rule
.You can achieve the same via the CLI
The new syntax
[]
allows to append a new element at the end of sequences, which is how the CLI works in this case.At this point, rule names support wildcard while tag names do not. I am a bit unsure about what to do with tag names. On one side, what you want to do is enable and disable them one by one so wildcards seem a bit too much there. On the other hand we currently allow to "intersect" the tags we want, such as only
networking
ANDexec
, which is not supported here. Perhaps we could add atags
option for that?Which issue(s) this PR fixes:
Fixes #3174
Special notes for your reviewer:
Does this PR introduce a user-facing change?: