From 4b76549bf8f66fa2d1a8a16694cb884ec90af280 Mon Sep 17 00:00:00 2001
From: Katarzyna Kujawa <kkujawa@sumologic.com>
Date: Fri, 15 Jan 2021 10:12:25 +0100
Subject: [PATCH] Add support for falco on OpenShift 4.6 by adding
 MachineConfigs with kernel-devel extension

---
 deploy/docs/Troubleshoot_Collection.md        | 20 +++++++++++++++++
 deploy/helm/sumologic/README.md               |  2 ++
 deploy/helm/sumologic/templates/_helpers.tpl  | 16 ++++++++++++++
 .../machineconfig/machineconfig-master.yaml   | 15 +++++++++++++
 .../machineconfig/machineconfig-worker.yaml   | 15 +++++++++++++
 deploy/helm/sumologic/values.yaml             | 22 +++++++++++++++++++
 6 files changed, 90 insertions(+)
 create mode 100644 deploy/helm/sumologic/templates/machineconfig/machineconfig-master.yaml
 create mode 100644 deploy/helm/sumologic/templates/machineconfig/machineconfig-worker.yaml

diff --git a/deploy/docs/Troubleshoot_Collection.md b/deploy/docs/Troubleshoot_Collection.md
index 6079e98c91..c5b121f993 100644
--- a/deploy/docs/Troubleshoot_Collection.md
+++ b/deploy/docs/Troubleshoot_Collection.md
@@ -22,6 +22,7 @@
   - [Prometheus stuck in `Terminating` state after running `helm del collection`](#prometheus-stuck-in-terminating-state-after-running-helm-del-collection)
   - [Errors in helm installation](#errors-in-helm-installation)
   - [Rancher](#rancher)
+  - [Falco](#falco)
 
 <!-- /TOC -->
 
@@ -327,3 +328,22 @@ To install on `GKE`, use the provided override file to customize your configurat
   #ebpf:
   #  enabled: true
 ```
+
+### Falco
+
+Falco does not provide modules for all kernels.
+When Falco module is not available for particular kernel, Falco tries to build it.
+Building a module requires `kernel-devel` package installed on nodes.
+
+For OpenShift, installation of `kernel-devel` on nodes is provided through MachineConfig used by
+[Machine Config operator](https://github.com/openshift/machine-config-operator).
+When update of machine configuration is needed machine is rebooted, please see
+[documentation](https://github.com/openshift/machine-config-operator/blob/master/docs/MachineConfigDaemon.md#coordinating-updates).
+The process of changing nodes configuration may require long time
+during which Pods scheduled on unchanged nodes are in `Init` state.
+
+Node configuration can be verified by following annotations:
+
+- `machineconfiguration.openshift.io/currentConfig`
+- `machineconfiguration.openshift.io/desiredConfig`
+- `machineconfiguration.openshift.io/state`
diff --git a/deploy/helm/sumologic/README.md b/deploy/helm/sumologic/README.md
index acc24b2eda..29aca7eca5 100644
--- a/deploy/helm/sumologic/README.md
+++ b/deploy/helm/sumologic/README.md
@@ -212,6 +212,8 @@ Parameter | Description | Default
 `kube-prometheus-stack.prometheus-node-exporter.podAnnotations` | Additional annotations for prometheus-node-exporter pods. | `{}`
 `kube-prometheus-stack.prometheus-node-exporter.resources` | Resource limits for node exporter.  Uses sub-chart defaults. | `{}`
 `falco.enabled` | Flag to control deploying Falco Helm sub-chart. | `false`
+`falco.addKernelDevel` | Flag to control installation of `kernel-devel` on nodes using MachineConfig, required to build falco modules (only for OpenShift)| `true`
+`falco.extraInitContainers` | InitContainers for Falco pod |  `[{'name': 'init-falco', 'image': 'busybox', 'command': ['sh', '-c', 'while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do\necho "waiting for kernel headers to be installed"\nsleep 3\ndone\n'], 'volumeMounts': [{'mountPath': '/host/usr', 'name': 'usr-fs', 'readOnly': True}, {'mountPath': '/host/etc', 'name': 'etc-fs', 'readOnly': True}]}]`
 `falco.ebpf.enabled` | Enable eBPF support for Falco instead of falco-probe kernel module. Set to false for GKE. | `true`
 `falco.falco.jsonOutput` | Output events in json. | `true`
 `telegraf-operator.enabled` | Flag to control deploying Telegraf Operator Helm sub-chart. | `false`
diff --git a/deploy/helm/sumologic/templates/_helpers.tpl b/deploy/helm/sumologic/templates/_helpers.tpl
index ae60d5a7c1..5620ab6a57 100644
--- a/deploy/helm/sumologic/templates/_helpers.tpl
+++ b/deploy/helm/sumologic/templates/_helpers.tpl
@@ -224,6 +224,22 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- template "sumologic.labels.app.cleanup" . }}
 {{- end -}}
 
+{{- define "sumologic.labels.app.machineconfig.worker" -}}
+{{- template "sumologic.fullname" . }}-worker-extensions
+{{- end -}}
+
+{{- define "sumologic.labels.machineconfig.worker" -}}
+machineconfiguration.openshift.io/role: worker
+{{- end -}}
+
+{{- define "sumologic.labels.app.machineconfig.master" -}}
+{{- template "sumologic.fullname" . }}-master-extensions
+{{- end -}}
+
+{{- define "sumologic.labels.machineconfig.master" -}}
+machineconfiguration.openshift.io/role: master
+{{- end -}}
+
 {{/*
 Generate cleanup job helm.sh annotations. It takes weight as parameter.
 
diff --git a/deploy/helm/sumologic/templates/machineconfig/machineconfig-master.yaml b/deploy/helm/sumologic/templates/machineconfig/machineconfig-master.yaml
new file mode 100644
index 0000000000..c618ac7d55
--- /dev/null
+++ b/deploy/helm/sumologic/templates/machineconfig/machineconfig-master.yaml
@@ -0,0 +1,15 @@
+{{- if and (eq .Values.sumologic.scc.create true) (.Capabilities.APIVersions.Has "security.openshift.io/v1")}}
+{{- if and (eq .Values.falco.enabled true) (eq .Values.falco.addKernelDevel true) }}
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    app: {{ template "sumologic.labels.app.machineconfig.master" . }}
+    {{- include "sumologic.labels.machineconfig.master" . | nindent 4 }}
+    {{- include "sumologic.labels.common" . | nindent 4 }}
+  name: {{ template "sumologic.labels.app.machineconfig.master" . }}
+spec:
+  extensions:
+    - kernel-devel
+{{- end }}
+{{- end }}
diff --git a/deploy/helm/sumologic/templates/machineconfig/machineconfig-worker.yaml b/deploy/helm/sumologic/templates/machineconfig/machineconfig-worker.yaml
new file mode 100644
index 0000000000..50ffa75c42
--- /dev/null
+++ b/deploy/helm/sumologic/templates/machineconfig/machineconfig-worker.yaml
@@ -0,0 +1,15 @@
+{{- if and (eq .Values.sumologic.scc.create true) (.Capabilities.APIVersions.Has "security.openshift.io/v1")}}
+{{- if and (eq .Values.falco.enabled true) (eq .Values.falco.addKernelDevel true) }}
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    app: {{ template "sumologic.labels.app.machineconfig.worker" . }}
+    {{- include "sumologic.labels.machineconfig.worker" . | nindent 4 }}
+    {{- include "sumologic.labels.common" . | nindent 4 }}
+  name: {{ template "sumologic.labels.app.machineconfig.worker" . }}
+spec:
+  extensions:
+    - kernel-devel
+{{- end }}
+{{- end}}
diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml
index da48f959eb..56d495ecb9 100644
--- a/deploy/helm/sumologic/values.yaml
+++ b/deploy/helm/sumologic/values.yaml
@@ -2193,6 +2193,28 @@ telegraf-operator:
 ## https://github.com/falcosecurity/charts/tree/master/falco
 falco:
   enabled: false
+  # Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift)
+  addKernelDevel: true
+  # Add initContainers to Falco pod
+  extraInitContainers:
+    # Add initContainer to wait until kernel-devel is installed on host
+    - name: init-falco
+      image: busybox
+      command:
+        - 'sh'
+        - '-c'
+        - |
+          while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do
+          echo "waiting for kernel headers to be installed"
+          sleep 3
+          done
+      volumeMounts:
+        - mountPath: /host/usr
+          name: usr-fs
+          readOnly: true
+        - mountPath: /host/etc
+          name: etc-fs
+          readOnly: true
   # ebpf:
   #   enabled: true
   falco: