feat(upgrade_to_v3): add migration of defaults for falco helm chart u…

…pgrade

Signed-off-by: Dominik Rosiek <drosiek@sumologic.com>

src/go/cmd/update-collection-v3/main.go

@@ -11,6 +11,7 @@ import (
 	disablethanos "github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/disable-thanos"
 	"github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/events"
 	eventsconfigmerge "github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/events-config-merge"
+	falcoupgrade "github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/falco-upgrade"
 	kubestatemetricscollectors "github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/kube-state-metrics-collectors"
 	"github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/logsmetadataconfig"
 	metricsmetadataconfig "github.com/SumoLogic/sumologic-kubernetes-collection/tools/cmd/update-collection-v3/migrations/metrics-metadata-config"
@@ -85,6 +86,10 @@ var migrations = []Migration{
 		directory: "tracing-replaces",
 		action:    tracingreplaces.Migrate,
 	},
+	{
+		directory: "falco-upgrade",
+		action:    falcoupgrade.Migrate,
+	},
 	{
 		directory: "events-config-merge",
 		action:    eventsconfigmerge.Migrate,

src/go/cmd/update-collection-v3/migrations/falco-upgrade/migrate.go

@@ -0,0 +1,76 @@
+package falcoupgrade
+
+import (
+	"bytes"
+	"fmt"
+
+	"gopkg.in/yaml.v3"
+)
+
+func Migrate(input string) (string, error) {
+	values, err := parseValues(input)
+	if err != nil {
+		return "", fmt.Errorf("error parsing input yaml: %v", err)
+	}
+
+	if values.Falco.Enabled != nil {
+		fmt.Println(`WARNING! Found that falco configuration is/was enabled. Performing automatic migration of default keys.
+Please confirm that migrated configuration is correct according to Falco helm chart: https://github.com/falcosecurity/charts/tree/falco-2.4.2/falco`)
+
+		if values.Falco.AddKernelDevel != nil {
+			fmt.Println("Removing falco.falco.addKernelDevel")
+			values.Falco.AddKernelDevel = nil
+		}
+
+		if values.Falco.ExtraInitContainers != nil {
+			fmt.Println("Removing falco.falco.extraInitContainers")
+			values.Falco.ExtraInitContainers = nil
+		}
+
+		if values.Falco.Falco.JsonOutputOld != nil {
+			fmt.Println("Renaming falco.falco.jsonOutput to falco.falco.json_output")
+			if values.Falco.Falco.JsonOutputNew != nil {
+				fmt.Println(`WARNING! falco.falco.json_output already set. Please migrate falco.falco.jsonOutput manually`)
+			} else {
+				values.Falco.Falco.JsonOutputNew = values.Falco.Falco.JsonOutputOld
+				values.Falco.Falco.JsonOutputOld = nil
+			}
+		}
+
+		if values.Falco.Falco.RulesFileOld != nil {
+			fmt.Println("Renaming falco.falco.rulesFile to falco.falco.rules_file")
+			if values.Falco.Falco.RulesFileNew != nil {
+				fmt.Println(`WARNING! falco.falco.rules_file already set. Please migrate falco.falco.rulesFile manually`)
+			} else {
+				values.Falco.Falco.RulesFileNew = values.Falco.Falco.RulesFileOld
+				values.Falco.Falco.RulesFileOld = nil
+			}
+		}
+
+		ebpf := "ebpf"
+		if values.Falco.Ebpf != nil && values.Falco.Ebpf.Enabled != nil && *values.Falco.Ebpf.Enabled {
+			fmt.Println("Setting falco.driver.kind to `ebpf` as `falco.ebpf.enabled` is set to `true`")
+			values.Falco.Driver = &struct {
+				Kind *string "yaml:\"kind,omitempty\""
+			}{Kind: &ebpf}
+
+			if len(values.Falco.Ebpf.Rest) == 0 {
+				values.Falco.Ebpf = nil
+			} else {
+				values.Falco.Ebpf.Enabled = nil
+			}
+		}
+	}
+
+	buffer := bytes.Buffer{}
+	encoder := yaml.NewEncoder(&buffer)
+	encoder.SetIndent(2)
+	err = encoder.Encode(values)
+	return buffer.String(), err
+}
+
+func parseValues(input string) (Values, error) {
+	var v Values
+	err := yaml.Unmarshal([]byte(input), &v)
+	return v, err
+}

src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default-with-additions.input.yaml

@@ -0,0 +1,83 @@
+## Configure Falco
+## Please note that Falco is embedded in this Helm Chart for user convenience only - Sumo Logic does not provide production support for it
+## This is an experimental configuration and shouldn't be used in production environment
+## https://github.com/falcosecurity/charts/tree/master/falco
+falco:
+  a: b
+  enabled: false
+  image:
+    c: d
+    registry: public.ecr.aws
+    repository: sumologic/falco
+    # pullSecrets: []
+
+  ## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift)
+  addKernelDevel: true
+  ## Add initContainers to Falco pod
+  extraInitContainers:
+    ## Add initContainer to wait until kernel-devel is installed on host
+    - name: init-falco
+      image: public.ecr.aws/docker/library/busybox
+      command:
+        - 'sh'
+        - '-c'
+        - |
+          while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do
+          echo "waiting for kernel headers to be installed"
+          sleep 3
+          done
+      volumeMounts:
+        - mountPath: /host/usr
+          name: usr-fs
+          readOnly: true
+        - mountPath: /host/etc
+          name: etc-fs
+          readOnly: true
+  ## Enable eBPF support for Falco instead of falco-probe kernel module.
+  ## Set to true for GKE, for details see:
+  ## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke
+  # ebpf:
+  #   enabled: true
+  falco:
+    e: f
+    jsonOutput: true
+    ## The location of the rules file(s). This can contain one or more paths to
+    ## separate rules files.
+    ## Explicitly add missing /etc/falco/rules.available/application_rules.yaml
+    ## before https://github.com/falcosecurity/charts/issues/230 gets resolved.
+    rulesFile:
+      - /etc/falco/falco_rules.yaml
+      - /etc/falco/falco_rules.local.yaml
+      - /etc/falco/k8s_audit_rules.yaml
+      - /etc/falco/rules.d
+      - /etc/falco/rules.available/application_rules.yaml
+
+  customRules:
+    ## Mark the following as known k8s api callers:
+    ## * fluentd and its plugins from sumologic/kubernetes-fluentd image
+    ## * prometheus
+    ## * prometheus operator
+    ## * telegraf operator
+    ## * grafana sidecar
+    rules_user_known_k8s_api_callers.yaml: |-
+      - macro: user_known_contact_k8s_api_server_activities
+        condition: >
+          (container.image.repository = "sumologic/kubernetes-fluentd") or
+          (container.image.repository = "quay.io/prometheus/prometheus") or
+          (container.image.repository = "quay.io/coreos/prometheus-operator") or
+          (container.image.repository = "quay.io/influxdb/telegraf-operator") or
+          (container.image.repository = "kiwigrid/k8s-sidecar")
+    rules_user_sensitive_mount_containers.yaml: |-
+      - macro: user_sensitive_mount_containers
+        condition: >
+          (container.image.repository = "falcosecurity/falco") or
+          (container.image.repository = "quay.io/prometheus/node-exporter")
+    ## NOTE: kube-proxy not exact matching because of regional ecr e.g.
+    ## 602401143452.dkr.ecr.us-west-1.amazonaws.com/eks/kube-proxy
+    rules_user_privileged_containers.yaml: |-
+      - macro: user_privileged_containers
+        condition: >
+          (container.image.repository endswith ".amazonaws.com/eks/kube-proxy")
+  ebpf:
+    g: h
+    enabled: true

src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default-with-additions.output.yaml

@@ -0,0 +1,38 @@
+falco:
+  falco:
+    json_output: true
+    rules_file:
+      - /etc/falco/falco_rules.yaml
+      - /etc/falco/falco_rules.local.yaml
+      - /etc/falco/k8s_audit_rules.yaml
+      - /etc/falco/rules.d
+      - /etc/falco/rules.available/application_rules.yaml
+    e: f
+  enabled: false
+  ebpf:
+    g: h
+  driver:
+    kind: ebpf
+  a: b
+  customRules:
+    rules_user_known_k8s_api_callers.yaml: |-
+      - macro: user_known_contact_k8s_api_server_activities
+        condition: >
+          (container.image.repository = "sumologic/kubernetes-fluentd") or
+          (container.image.repository = "quay.io/prometheus/prometheus") or
+          (container.image.repository = "quay.io/coreos/prometheus-operator") or
+          (container.image.repository = "quay.io/influxdb/telegraf-operator") or
+          (container.image.repository = "kiwigrid/k8s-sidecar")
+    rules_user_privileged_containers.yaml: |-
+      - macro: user_privileged_containers
+        condition: >
+          (container.image.repository endswith ".amazonaws.com/eks/kube-proxy")
+    rules_user_sensitive_mount_containers.yaml: |-
+      - macro: user_sensitive_mount_containers
+        condition: >
+          (container.image.repository = "falcosecurity/falco") or
+          (container.image.repository = "quay.io/prometheus/node-exporter")
+  image:
+    c: d
+    registry: public.ecr.aws
+    repository: sumologic/falco

src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default.input.yaml

@@ -0,0 +1,79 @@
+## Configure Falco
+## Please note that Falco is embedded in this Helm Chart for user convenience only - Sumo Logic does not provide production support for it
+## This is an experimental configuration and shouldn't be used in production environment
+## https://github.com/falcosecurity/charts/tree/master/falco
+falco:
+  enabled: false
+  image:
+    registry: public.ecr.aws
+    repository: sumologic/falco
+    # pullSecrets: []
+
+  ## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift)
+  addKernelDevel: true
+  ## Add initContainers to Falco pod
+  extraInitContainers:
+    ## Add initContainer to wait until kernel-devel is installed on host
+    - name: init-falco
+      image: public.ecr.aws/docker/library/busybox
+      command:
+        - 'sh'
+        - '-c'
+        - |
+          while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do
+          echo "waiting for kernel headers to be installed"
+          sleep 3
+          done
+      volumeMounts:
+        - mountPath: /host/usr
+          name: usr-fs
+          readOnly: true
+        - mountPath: /host/etc
+          name: etc-fs
+          readOnly: true
+  ## Enable eBPF support for Falco instead of falco-probe kernel module.
+  ## Set to true for GKE, for details see:
+  ## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke
+  # ebpf:
+  #   enabled: true
+  falco:
+    jsonOutput: true
+    ## The location of the rules file(s). This can contain one or more paths to
+    ## separate rules files.
+    ## Explicitly add missing /etc/falco/rules.available/application_rules.yaml
+    ## before https://github.com/falcosecurity/charts/issues/230 gets resolved.
+    rulesFile:
+      - /etc/falco/falco_rules.yaml
+      - /etc/falco/falco_rules.local.yaml
+      - /etc/falco/k8s_audit_rules.yaml
+      - /etc/falco/rules.d
+      - /etc/falco/rules.available/application_rules.yaml
+
+  customRules:
+    ## Mark the following as known k8s api callers:
+    ## * fluentd and its plugins from sumologic/kubernetes-fluentd image
+    ## * prometheus
+    ## * prometheus operator
+    ## * telegraf operator
+    ## * grafana sidecar
+    rules_user_known_k8s_api_callers.yaml: |-
+      - macro: user_known_contact_k8s_api_server_activities
+        condition: >
+          (container.image.repository = "sumologic/kubernetes-fluentd") or
+          (container.image.repository = "quay.io/prometheus/prometheus") or
+          (container.image.repository = "quay.io/coreos/prometheus-operator") or
+          (container.image.repository = "quay.io/influxdb/telegraf-operator") or
+          (container.image.repository = "kiwigrid/k8s-sidecar")
+    rules_user_sensitive_mount_containers.yaml: |-
+      - macro: user_sensitive_mount_containers
+        condition: >
+          (container.image.repository = "falcosecurity/falco") or
+          (container.image.repository = "quay.io/prometheus/node-exporter")
+    ## NOTE: kube-proxy not exact matching because of regional ecr e.g.
+    ## 602401143452.dkr.ecr.us-west-1.amazonaws.com/eks/kube-proxy
+    rules_user_privileged_containers.yaml: |-
+      - macro: user_privileged_containers
+        condition: >
+          (container.image.repository endswith ".amazonaws.com/eks/kube-proxy")
+  ebpf:
+    enabled: true

src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default.output.yaml

@@ -0,0 +1,33 @@
+falco:
+  falco:
+    json_output: true
+    rules_file:
+      - /etc/falco/falco_rules.yaml
+      - /etc/falco/falco_rules.local.yaml
+      - /etc/falco/k8s_audit_rules.yaml
+      - /etc/falco/rules.d
+      - /etc/falco/rules.available/application_rules.yaml
+  enabled: false
+  driver:
+    kind: ebpf
+  customRules:
+    rules_user_known_k8s_api_callers.yaml: |-
+      - macro: user_known_contact_k8s_api_server_activities
+        condition: >
+          (container.image.repository = "sumologic/kubernetes-fluentd") or
+          (container.image.repository = "quay.io/prometheus/prometheus") or
+          (container.image.repository = "quay.io/coreos/prometheus-operator") or
+          (container.image.repository = "quay.io/influxdb/telegraf-operator") or
+          (container.image.repository = "kiwigrid/k8s-sidecar")
+    rules_user_privileged_containers.yaml: |-
+      - macro: user_privileged_containers
+        condition: >
+          (container.image.repository endswith ".amazonaws.com/eks/kube-proxy")
+    rules_user_sensitive_mount_containers.yaml: |-
+      - macro: user_sensitive_mount_containers
+        condition: >
+          (container.image.repository = "falcosecurity/falco") or
+          (container.image.repository = "quay.io/prometheus/node-exporter")
+  image:
+    registry: public.ecr.aws
+    repository: sumologic/falco

src/go/cmd/update-collection-v3/migrations/falco-upgrade/values.go

@@ -0,0 +1,26 @@
+package falcoupgrade
+
+type Values struct {
+	Falco struct {
+		Falco struct {
+			JsonOutputOld *bool                  `yaml:"jsonOutput,omitempty"`
+			JsonOutputNew *bool                  `yaml:"json_output,omitempty"`
+			RulesFileOld  *[]interface{}         `yaml:"rulesFile,omitempty"`
+			RulesFileNew  *[]interface{}         `yaml:"rules_file,omitempty"`
+			LoadPlugins   *[]string              `yaml:"load_plugins,omitempty"`
+			Rest          map[string]interface{} `yaml:",inline"`
+		} `yaml:"falco,omitempty"`
+		Enabled             *bool          `yaml:"enabled,omitempty"`
+		AddKernelDevel      *bool          `yaml:"addKernelDevel,omitempty"`
+		ExtraInitContainers *[]interface{} `yaml:"extraInitContainers,omitempty"`
+		Ebpf                *struct {
+			Enabled *bool                  `yaml:"enabled,omitempty"`
+			Rest    map[string]interface{} `yaml:",inline"`
+		} `yaml:"ebpf,omitempty"`
+		Driver *struct {
+			Kind *string `yaml:"kind,omitempty"`
+		} `yaml:"driver,omitempty"`
+		Rest map[string]interface{} `yaml:",inline"`
+	} `yaml:"falco,omitempty"`
+	Rest map[string]interface{} `yaml:",inline"`
+}