From a8a48d2ad257ae32c36a6610bafd5f134195790d Mon Sep 17 00:00:00 2001 From: Dominik Rosiek Date: Tue, 29 Nov 2022 11:47:24 +0100 Subject: [PATCH 1/5] chore: upgrade falco to 2.4.2 Signed-off-by: Dominik Rosiek --- CHANGELOG.md | 2 ++ deploy/helm/sumologic/Chart.yaml | 2 +- deploy/helm/sumologic/values.yaml | 33 +++++++------------------------ docs/v3-migration-doc.md | 4 ++++ 4 files changed, 14 insertions(+), 27 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 304fb343ad..3f6f5f0983 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -30,6 +30,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - feat(events)!: add config.merge option [#2643] - feat(terraform)!: expect load_config_file to be not set [#2648] - feat(otellogs)!: add config.merge option [#2652] +- chore!: upgrade falco to 2.4.2 [#2659] ### Changed @@ -92,6 +93,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [#2649]: https://github.com/SumoLogic/sumologic-kubernetes-collection/pull/2649 [#2654]: https://github.com/SumoLogic/sumologic-kubernetes-collection/pull/2654 [#2652]: https://github.com/SumoLogic/sumologic-kubernetes-collection/pull/2652 +[#2659]: https://github.com/SumoLogic/sumologic-kubernetes-collection/pull/2659 [Unreleased]: https://github.com/SumoLogic/sumologic-kubernetes-collection/compare/v2.17.0...main [telegraf_operator_comapare_1.3.5_and_1.3.10]: https://github.com/influxdata/helm-charts/compare/telegraf-operator-1.3.5...telegraf-operator-1.3.10 [cert-manager-1.4]: https://github.com/cert-manager/cert-manager/releases/tag/v1.4.0 diff --git a/deploy/helm/sumologic/Chart.yaml b/deploy/helm/sumologic/Chart.yaml index d79aaed916..efa4bf73d4 100644 --- a/deploy/helm/sumologic/Chart.yaml +++ b/deploy/helm/sumologic/Chart.yaml @@ -21,7 +21,7 @@ dependencies: repository: https://prometheus-community.github.io/helm-charts condition: kube-prometheus-stack.enabled,sumologic.metrics.enabled - name: falco - version: 1.18.6 + version: 2.4.2 repository: https://falcosecurity.github.io/charts condition: falco.enabled - name: metrics-server diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index 7b1bb8565a..9e23165a9a 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -4265,42 +4265,23 @@ falco: image: registry: public.ecr.aws repository: sumologic/falco - # pullSecrets: [] - - ## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift) - addKernelDevel: true - ## Add initContainers to Falco pod - extraInitContainers: - ## Add initContainer to wait until kernel-devel is installed on host - - name: init-falco - image: public.ecr.aws/docker/library/busybox - command: - - 'sh' - - '-c' - - | - while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do - echo "waiting for kernel headers to be installed" - sleep 3 - done - volumeMounts: - - mountPath: /host/usr - name: usr-fs - readOnly: true - - mountPath: /host/etc - name: etc-fs - readOnly: true + pullSecrets: [] + ## Enable eBPF support for Falco instead of falco-probe kernel module. ## Set to true for GKE, for details see: ## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke # ebpf: # enabled: true falco: - jsonOutput: true + load_plugins: + - json + - k8saudit + json_output: true ## The location of the rules file(s). This can contain one or more paths to ## separate rules files. ## Explicitly add missing /etc/falco/rules.available/application_rules.yaml ## before https://github.com/falcosecurity/charts/issues/230 gets resolved. - rulesFile: + rules_file: - /etc/falco/falco_rules.yaml - /etc/falco/falco_rules.local.yaml - /etc/falco/k8s_audit_rules.yaml diff --git a/docs/v3-migration-doc.md b/docs/v3-migration-doc.md index 16c622b85b..d5d1694c41 100644 --- a/docs/v3-migration-doc.md +++ b/docs/v3-migration-doc.md @@ -32,6 +32,8 @@ In this document we detail the changes as well as the exact steps for migration. or overwrite default configuration `metadata.metrics.config.override` - Removing support for `sumologic.cluster.load_config_file`. Leaving this configuration will result in setup job failure. +- Upgrading Falco helm chart to `v2.4.2` which changed their configuration: + Please validate and adjust your configuration to new version according to [Falco documentation] ## How to upgrade @@ -120,3 +122,5 @@ If you're using `otelcol` as the logs/metrics metadata provider, please run one kubectl delete sts --namespace=my-namespace --cascade=false my-release-sumologic-otelcol-logs kubectl delete sts --namespace=my-namespace --cascade=false my-release-sumologic-otelcol-metrics ``` + +[Falco documentation]: https://github.com/falcosecurity/charts/tree/falco-2.4.2/falco From 4135f1eb50eec0bd3aeee40ca4c159a95f6eea01 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek <58699848+sumo-drosiek@users.noreply.github.com> Date: Tue, 29 Nov 2022 12:27:34 +0100 Subject: [PATCH 2/5] Update deploy/helm/sumologic/values.yaml --- deploy/helm/sumologic/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index 9e23165a9a..18cf5ff3e7 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -4265,7 +4265,7 @@ falco: image: registry: public.ecr.aws repository: sumologic/falco - pullSecrets: [] + # pullSecrets: [] ## Enable eBPF support for Falco instead of falco-probe kernel module. ## Set to true for GKE, for details see: From 4d298155b368413c8d923839967b563dcf29e670 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek <58699848+sumo-drosiek@users.noreply.github.com> Date: Tue, 29 Nov 2022 12:28:30 +0100 Subject: [PATCH 3/5] Update deploy/helm/sumologic/values.yaml --- deploy/helm/sumologic/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index 18cf5ff3e7..4bb98c65c2 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -4274,8 +4274,8 @@ falco: # enabled: true falco: load_plugins: - - json - - k8saudit + - json + - k8saudit json_output: true ## The location of the rules file(s). This can contain one or more paths to ## separate rules files. From ad0df653eda285cfaaeeb0d1b72c40b4d4bdb2a8 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek Date: Wed, 30 Nov 2022 10:50:36 +0100 Subject: [PATCH 4/5] fix: fix openshift installation Signed-off-by: Dominik Rosiek --- deploy/helm/sumologic/values.yaml | 36 +++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/deploy/helm/sumologic/values.yaml b/deploy/helm/sumologic/values.yaml index 4bb98c65c2..c9c1dd9f80 100644 --- a/deploy/helm/sumologic/values.yaml +++ b/deploy/helm/sumologic/values.yaml @@ -4264,14 +4264,42 @@ falco: enabled: false image: registry: public.ecr.aws - repository: sumologic/falco + # repository: falcosecurity/falco-no-driver # pullSecrets: [] + ## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift) + addKernelDevel: true + + extra: + initContainers: + ## Add initContainer to wait until kernel-devel is installed on host + - name: init-falco + image: public.ecr.aws/docker/library/busybox + command: + - 'sh' + - '-c' + - | + while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do + echo "waiting for kernel headers to be installed" + sleep 3 + done + volumeMounts: + - mountPath: /host/usr + name: usr-fs + readOnly: true + - mountPath: /host/etc + name: etc-fs + readOnly: true + + driver: ## Enable eBPF support for Falco instead of falco-probe kernel module. - ## Set to true for GKE, for details see: ## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke - # ebpf: - # enabled: true + # kind: ebpf + loader: + initContainer: + image: + registry: public.ecr.aws + # repository: falcosecurity/falco-driver-loader falco: load_plugins: - json From b95029b21be1b55b5b11a85a14eab2813d0f4b33 Mon Sep 17 00:00:00 2001 From: Dominik Rosiek Date: Wed, 30 Nov 2022 11:18:09 +0100 Subject: [PATCH 5/5] docs: update Signed-off-by: Dominik Rosiek --- docs/best-practices.md | 6 ++---- docs/troubleshoot-collection.md | 4 ++-- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/best-practices.md b/docs/best-practices.md index 179bd448ed..0383e259bc 100644 --- a/docs/best-practices.md +++ b/docs/best-practices.md @@ -861,11 +861,9 @@ Available log levels can be found in Falco's documentation here: https://falco.o falco: ## Set the enabled flag to false to disable falco. enabled: true - #ebpf: - # enabled: true falco: - jsonOutput: true - loglevel: debug + json_output: true + log_level: debug ``` ## Overriding metadata using annotations diff --git a/docs/troubleshoot-collection.md b/docs/troubleshoot-collection.md index 959bacb1fd..53bc243bad 100644 --- a/docs/troubleshoot-collection.md +++ b/docs/troubleshoot-collection.md @@ -463,8 +463,8 @@ For more information see [Falco documentation](https://falco.org/docs/getting-st To install on `GKE`, use the provided override file to customize your configuration and uncomment the following lines in the `values.yaml` file referenced below: ``` - #ebpf: - # enabled: true + #driver: + # kind: ebpf ``` ### Falco and OpenShift