Add support for Falco on OpenShift 4.6

[kkujawa-sumo]

Description

• Add MachineConfig to instal on nodes kernel-devel. Related to OpenShift under vsphere: Download failed, consider compiling your own falco module and loading it or getting in touch with the Falco community  falcosecurity/falco#1505 - missing kernel-devel on Red Hat Enterprise Linux CoreOS 46.82.202012151054-0 (Ootpa)

• Add init container to avoid of having falco pods in CrashLoopBackOff when nodes are waiting for being configured. Configuration of machines takes longer period of the time. Nodes are restarted to apply changes in configuration, see workflow for changing machine configuration.

Tested with:

helm upgrade --install collection -n sumologic -f deploy/helm/sumologic/values.yaml \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set sumologic.accessId="dummy" \
--set sumologic.accessKey="dummy" \
--set sumologic.endpoint="http://receiver-mock.receiver-mock:3000/terraform/api/" \
--set sumologic.clusterName="clusterkasi" \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set kube-prometheus-stack.prometheus-node-exporter.service.port=9200 \
--set kube-prometheus-stack.prometheus-node-exporter.service.targetPort=9200 \
--set sumologic.scc.create=true \
--set fluent-bit.securityContext.privileged=true \
--set falco.enabled=true \
deploy/helm/sumologic/

Tested migration from 2.0 using:

helm upgrade --install collection sumologic/sumologic  -n sumologic \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set sumologic.accessId="dummy" \
--set sumologic.accessKey="dummy" \
--set sumologic.endpoint="http://receiver-mock.receiver-mock:3000/terraform/api/" \
--set sumologic.clusterName="clusterkasi" \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set kube-prometheus-stack.prometheus-node-exporter.service.port=9200 \
--set kube-prometheus-stack.prometheus-node-exporter.service.targetPort=9200 \
--set sumologic.scc.create=true \
--set fluent-bit.securityContext.privileged=true \
--set falco.enabled=true \
--version=v2.0.0

helm upgrade --install collection -n sumologic -f deploy/helm/sumologic/values.yaml \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set sumologic.accessId="dummy" \
--set sumologic.accessKey="dummy" \
--set sumologic.endpoint="http://receiver-mock.receiver-mock:3000/terraform/api/" \
--set sumologic.clusterName="clusterkasi" \
--set kube-prometheus-stack.prometheusOperator.enabled=false \
--set kube-prometheus-stack.prometheus-node-exporter.service.port=9200 \
--set kube-prometheus-stack.prometheus-node-exporter.service.targetPort=9200 \
--set sumologic.scc.create=true \
--set fluent-bit.securityContext.privileged=true \
--set falco.enabled=true \
deploy/helm/sumologic/

Tested on vagrant using sumo-make upgrade

---

Testing performed

• Redeploy fluentd and fluentd-events pods
• Confirm events, logs, and metrics are coming in

[pmalek-sumo]

Suggested change

	Falco does not provide modules for all kernels. When there is missing Falco module Falco tries to build it.
	Falco does not provide modules for all kernels.
	When Falco module is not available for particular kernel, Falco tries to build it.

[pmalek-sumo]

Suggested change

	Configuration of node can be verified by following annotations:
	Node configuration can be verified by following annotations:

[pmalek-sumo]

Suggested change

	Building of module requires `kernel-devel` package installed on nodes.
	Building a module requires `kernel-devel` package installed on nodes.

Sorry missed that nit.

[pmalek-sumo]

Suggested change

	For OpenShift installation of `kernel-devel` on nodes is provided through MachineConfig used by
	For OpenShift, installation of `kernel-devel` on nodes is provided through `MachineConfig` used by

[sumo-drosiek]

Should we backport it to 1.3?

[kkujawa-sumo]

I've found an issue on k8s without Openshift. I need to correct condition which is used in initContainer, please do not merge.

[kkujawa-sumo]

I've found an issue on k8s without Openshift. I need to correct condition which is used in initContainer, please do not merge.

I modified condition in initContainer:

-      command: ['sh', '-c', "until [ $(ls /host/usr/src/kernels) ]; do echo 'waiting for kernel headers to be installed'; sleep 3; done"]
+      command: ['sh', '-c', 'while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do echo "waiting for kernel headers to be installed"; sleep 3; done']

[kkujawa-sumo]

Should we backport it to 1.3?

Yes, to support 1.3 on OpenShift 4

[perk-sumo]

Should we backport it to 1.3?

We don't provide OpenShift 4.6 support in the v1.3 releases.

[perk-sumo]

👍