-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(upgrade_to_v3): add migration of defaults for falco helm chart u…
…pgrade Signed-off-by: Dominik Rosiek <drosiek@sumologic.com>
- Loading branch information
1 parent
556e8ae
commit 43901e9
Showing
7 changed files
with
340 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
76 changes: 76 additions & 0 deletions
76
src/go/cmd/update-collection-v3/migrations/falco-upgrade/migrate.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package falcoupgrade | ||
|
||
import ( | ||
"bytes" | ||
"fmt" | ||
|
||
"gopkg.in/yaml.v3" | ||
) | ||
|
||
func Migrate(input string) (string, error) { | ||
values, err := parseValues(input) | ||
if err != nil { | ||
return "", fmt.Errorf("error parsing input yaml: %v", err) | ||
} | ||
|
||
if values.Falco.Enabled != nil { | ||
fmt.Println(`WARNING! Found that falco configuration is/was enabled. Performing automatic migration of default keys. | ||
Please confirm that migrated configuration is correct according to Falco helm chart: https://github.com/falcosecurity/charts/tree/falco-2.4.2/falco`) | ||
|
||
if values.Falco.AddKernelDevel != nil { | ||
fmt.Println("Removing falco.falco.addKernelDevel") | ||
values.Falco.AddKernelDevel = nil | ||
} | ||
|
||
if values.Falco.ExtraInitContainers != nil { | ||
fmt.Println("Removing falco.falco.extraInitContainers") | ||
values.Falco.ExtraInitContainers = nil | ||
} | ||
|
||
if values.Falco.Falco.JsonOutputOld != nil { | ||
fmt.Println("Renaming falco.falco.jsonOutput to falco.falco.json_output") | ||
if values.Falco.Falco.JsonOutputNew != nil { | ||
fmt.Println(`WARNING! falco.falco.json_output already set. Please migrate falco.falco.jsonOutput manually`) | ||
} else { | ||
values.Falco.Falco.JsonOutputNew = values.Falco.Falco.JsonOutputOld | ||
values.Falco.Falco.JsonOutputOld = nil | ||
} | ||
} | ||
|
||
if values.Falco.Falco.RulesFileOld != nil { | ||
fmt.Println("Renaming falco.falco.rulesFile to falco.falco.rules_file") | ||
if values.Falco.Falco.RulesFileNew != nil { | ||
fmt.Println(`WARNING! falco.falco.rules_file already set. Please migrate falco.falco.rulesFile manually`) | ||
} else { | ||
values.Falco.Falco.RulesFileNew = values.Falco.Falco.RulesFileOld | ||
values.Falco.Falco.RulesFileOld = nil | ||
} | ||
} | ||
|
||
ebpf := "ebpf" | ||
if values.Falco.Ebpf != nil && values.Falco.Ebpf.Enabled != nil && *values.Falco.Ebpf.Enabled { | ||
fmt.Println("Setting falco.driver.kind to `ebpf` as `falco.ebpf.enabled` is set to `true`") | ||
values.Falco.Driver = &struct { | ||
Kind *string "yaml:\"kind,omitempty\"" | ||
}{Kind: &ebpf} | ||
|
||
if len(values.Falco.Ebpf.Rest) == 0 { | ||
values.Falco.Ebpf = nil | ||
} else { | ||
values.Falco.Ebpf.Enabled = nil | ||
} | ||
} | ||
} | ||
|
||
buffer := bytes.Buffer{} | ||
encoder := yaml.NewEncoder(&buffer) | ||
encoder.SetIndent(2) | ||
err = encoder.Encode(values) | ||
return buffer.String(), err | ||
} | ||
|
||
func parseValues(input string) (Values, error) { | ||
var v Values | ||
err := yaml.Unmarshal([]byte(input), &v) | ||
return v, err | ||
} |
83 changes: 83 additions & 0 deletions
83
.../update-collection-v3/migrations/falco-upgrade/testdata/default-with-additions.input.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,83 @@ | ||
## Configure Falco | ||
## Please note that Falco is embedded in this Helm Chart for user convenience only - Sumo Logic does not provide production support for it | ||
## This is an experimental configuration and shouldn't be used in production environment | ||
## https://github.com/falcosecurity/charts/tree/master/falco | ||
falco: | ||
a: b | ||
enabled: false | ||
image: | ||
c: d | ||
registry: public.ecr.aws | ||
repository: sumologic/falco | ||
# pullSecrets: [] | ||
|
||
## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift) | ||
addKernelDevel: true | ||
## Add initContainers to Falco pod | ||
extraInitContainers: | ||
## Add initContainer to wait until kernel-devel is installed on host | ||
- name: init-falco | ||
image: public.ecr.aws/docker/library/busybox | ||
command: | ||
- 'sh' | ||
- '-c' | ||
- | | ||
while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do | ||
echo "waiting for kernel headers to be installed" | ||
sleep 3 | ||
done | ||
volumeMounts: | ||
- mountPath: /host/usr | ||
name: usr-fs | ||
readOnly: true | ||
- mountPath: /host/etc | ||
name: etc-fs | ||
readOnly: true | ||
## Enable eBPF support for Falco instead of falco-probe kernel module. | ||
## Set to true for GKE, for details see: | ||
## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke | ||
# ebpf: | ||
# enabled: true | ||
falco: | ||
e: f | ||
jsonOutput: true | ||
## The location of the rules file(s). This can contain one or more paths to | ||
## separate rules files. | ||
## Explicitly add missing /etc/falco/rules.available/application_rules.yaml | ||
## before https://github.com/falcosecurity/charts/issues/230 gets resolved. | ||
rulesFile: | ||
- /etc/falco/falco_rules.yaml | ||
- /etc/falco/falco_rules.local.yaml | ||
- /etc/falco/k8s_audit_rules.yaml | ||
- /etc/falco/rules.d | ||
- /etc/falco/rules.available/application_rules.yaml | ||
|
||
customRules: | ||
## Mark the following as known k8s api callers: | ||
## * fluentd and its plugins from sumologic/kubernetes-fluentd image | ||
## * prometheus | ||
## * prometheus operator | ||
## * telegraf operator | ||
## * grafana sidecar | ||
rules_user_known_k8s_api_callers.yaml: |- | ||
- macro: user_known_contact_k8s_api_server_activities | ||
condition: > | ||
(container.image.repository = "sumologic/kubernetes-fluentd") or | ||
(container.image.repository = "quay.io/prometheus/prometheus") or | ||
(container.image.repository = "quay.io/coreos/prometheus-operator") or | ||
(container.image.repository = "quay.io/influxdb/telegraf-operator") or | ||
(container.image.repository = "kiwigrid/k8s-sidecar") | ||
rules_user_sensitive_mount_containers.yaml: |- | ||
- macro: user_sensitive_mount_containers | ||
condition: > | ||
(container.image.repository = "falcosecurity/falco") or | ||
(container.image.repository = "quay.io/prometheus/node-exporter") | ||
## NOTE: kube-proxy not exact matching because of regional ecr e.g. | ||
## 602401143452.dkr.ecr.us-west-1.amazonaws.com/eks/kube-proxy | ||
rules_user_privileged_containers.yaml: |- | ||
- macro: user_privileged_containers | ||
condition: > | ||
(container.image.repository endswith ".amazonaws.com/eks/kube-proxy") | ||
ebpf: | ||
g: h | ||
enabled: true |
38 changes: 38 additions & 0 deletions
38
...update-collection-v3/migrations/falco-upgrade/testdata/default-with-additions.output.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
falco: | ||
falco: | ||
json_output: true | ||
rules_file: | ||
- /etc/falco/falco_rules.yaml | ||
- /etc/falco/falco_rules.local.yaml | ||
- /etc/falco/k8s_audit_rules.yaml | ||
- /etc/falco/rules.d | ||
- /etc/falco/rules.available/application_rules.yaml | ||
e: f | ||
enabled: false | ||
ebpf: | ||
g: h | ||
driver: | ||
kind: ebpf | ||
a: b | ||
customRules: | ||
rules_user_known_k8s_api_callers.yaml: |- | ||
- macro: user_known_contact_k8s_api_server_activities | ||
condition: > | ||
(container.image.repository = "sumologic/kubernetes-fluentd") or | ||
(container.image.repository = "quay.io/prometheus/prometheus") or | ||
(container.image.repository = "quay.io/coreos/prometheus-operator") or | ||
(container.image.repository = "quay.io/influxdb/telegraf-operator") or | ||
(container.image.repository = "kiwigrid/k8s-sidecar") | ||
rules_user_privileged_containers.yaml: |- | ||
- macro: user_privileged_containers | ||
condition: > | ||
(container.image.repository endswith ".amazonaws.com/eks/kube-proxy") | ||
rules_user_sensitive_mount_containers.yaml: |- | ||
- macro: user_sensitive_mount_containers | ||
condition: > | ||
(container.image.repository = "falcosecurity/falco") or | ||
(container.image.repository = "quay.io/prometheus/node-exporter") | ||
image: | ||
c: d | ||
registry: public.ecr.aws | ||
repository: sumologic/falco |
79 changes: 79 additions & 0 deletions
79
src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default.input.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
## Configure Falco | ||
## Please note that Falco is embedded in this Helm Chart for user convenience only - Sumo Logic does not provide production support for it | ||
## This is an experimental configuration and shouldn't be used in production environment | ||
## https://github.com/falcosecurity/charts/tree/master/falco | ||
falco: | ||
enabled: false | ||
image: | ||
registry: public.ecr.aws | ||
repository: sumologic/falco | ||
# pullSecrets: [] | ||
|
||
## Add kernel-devel package through MachineConfig, required to enable building of missing falco modules (only for OpenShift) | ||
addKernelDevel: true | ||
## Add initContainers to Falco pod | ||
extraInitContainers: | ||
## Add initContainer to wait until kernel-devel is installed on host | ||
- name: init-falco | ||
image: public.ecr.aws/docker/library/busybox | ||
command: | ||
- 'sh' | ||
- '-c' | ||
- | | ||
while [ -f /host/etc/redhat-release ] && [ -z "$(ls /host/usr/src/kernels)" ] ; do | ||
echo "waiting for kernel headers to be installed" | ||
sleep 3 | ||
done | ||
volumeMounts: | ||
- mountPath: /host/usr | ||
name: usr-fs | ||
readOnly: true | ||
- mountPath: /host/etc | ||
name: etc-fs | ||
readOnly: true | ||
## Enable eBPF support for Falco instead of falco-probe kernel module. | ||
## Set to true for GKE, for details see: | ||
## https://github.com/SumoLogic/sumologic-kubernetes-collection/blob/main/docs/troubleshoot-collection.md#falco-and-google-kubernetes-engine-gke | ||
# ebpf: | ||
# enabled: true | ||
falco: | ||
jsonOutput: true | ||
## The location of the rules file(s). This can contain one or more paths to | ||
## separate rules files. | ||
## Explicitly add missing /etc/falco/rules.available/application_rules.yaml | ||
## before https://github.com/falcosecurity/charts/issues/230 gets resolved. | ||
rulesFile: | ||
- /etc/falco/falco_rules.yaml | ||
- /etc/falco/falco_rules.local.yaml | ||
- /etc/falco/k8s_audit_rules.yaml | ||
- /etc/falco/rules.d | ||
- /etc/falco/rules.available/application_rules.yaml | ||
|
||
customRules: | ||
## Mark the following as known k8s api callers: | ||
## * fluentd and its plugins from sumologic/kubernetes-fluentd image | ||
## * prometheus | ||
## * prometheus operator | ||
## * telegraf operator | ||
## * grafana sidecar | ||
rules_user_known_k8s_api_callers.yaml: |- | ||
- macro: user_known_contact_k8s_api_server_activities | ||
condition: > | ||
(container.image.repository = "sumologic/kubernetes-fluentd") or | ||
(container.image.repository = "quay.io/prometheus/prometheus") or | ||
(container.image.repository = "quay.io/coreos/prometheus-operator") or | ||
(container.image.repository = "quay.io/influxdb/telegraf-operator") or | ||
(container.image.repository = "kiwigrid/k8s-sidecar") | ||
rules_user_sensitive_mount_containers.yaml: |- | ||
- macro: user_sensitive_mount_containers | ||
condition: > | ||
(container.image.repository = "falcosecurity/falco") or | ||
(container.image.repository = "quay.io/prometheus/node-exporter") | ||
## NOTE: kube-proxy not exact matching because of regional ecr e.g. | ||
## 602401143452.dkr.ecr.us-west-1.amazonaws.com/eks/kube-proxy | ||
rules_user_privileged_containers.yaml: |- | ||
- macro: user_privileged_containers | ||
condition: > | ||
(container.image.repository endswith ".amazonaws.com/eks/kube-proxy") | ||
ebpf: | ||
enabled: true |
33 changes: 33 additions & 0 deletions
33
src/go/cmd/update-collection-v3/migrations/falco-upgrade/testdata/default.output.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
falco: | ||
falco: | ||
json_output: true | ||
rules_file: | ||
- /etc/falco/falco_rules.yaml | ||
- /etc/falco/falco_rules.local.yaml | ||
- /etc/falco/k8s_audit_rules.yaml | ||
- /etc/falco/rules.d | ||
- /etc/falco/rules.available/application_rules.yaml | ||
enabled: false | ||
driver: | ||
kind: ebpf | ||
customRules: | ||
rules_user_known_k8s_api_callers.yaml: |- | ||
- macro: user_known_contact_k8s_api_server_activities | ||
condition: > | ||
(container.image.repository = "sumologic/kubernetes-fluentd") or | ||
(container.image.repository = "quay.io/prometheus/prometheus") or | ||
(container.image.repository = "quay.io/coreos/prometheus-operator") or | ||
(container.image.repository = "quay.io/influxdb/telegraf-operator") or | ||
(container.image.repository = "kiwigrid/k8s-sidecar") | ||
rules_user_privileged_containers.yaml: |- | ||
- macro: user_privileged_containers | ||
condition: > | ||
(container.image.repository endswith ".amazonaws.com/eks/kube-proxy") | ||
rules_user_sensitive_mount_containers.yaml: |- | ||
- macro: user_sensitive_mount_containers | ||
condition: > | ||
(container.image.repository = "falcosecurity/falco") or | ||
(container.image.repository = "quay.io/prometheus/node-exporter") | ||
image: | ||
registry: public.ecr.aws | ||
repository: sumologic/falco |
26 changes: 26 additions & 0 deletions
26
src/go/cmd/update-collection-v3/migrations/falco-upgrade/values.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
package falcoupgrade | ||
|
||
type Values struct { | ||
Falco struct { | ||
Falco struct { | ||
JsonOutputOld *bool `yaml:"jsonOutput,omitempty"` | ||
JsonOutputNew *bool `yaml:"json_output,omitempty"` | ||
RulesFileOld *[]interface{} `yaml:"rulesFile,omitempty"` | ||
RulesFileNew *[]interface{} `yaml:"rules_file,omitempty"` | ||
LoadPlugins *[]string `yaml:"load_plugins,omitempty"` | ||
Rest map[string]interface{} `yaml:",inline"` | ||
} `yaml:"falco,omitempty"` | ||
Enabled *bool `yaml:"enabled,omitempty"` | ||
AddKernelDevel *bool `yaml:"addKernelDevel,omitempty"` | ||
ExtraInitContainers *[]interface{} `yaml:"extraInitContainers,omitempty"` | ||
Ebpf *struct { | ||
Enabled *bool `yaml:"enabled,omitempty"` | ||
Rest map[string]interface{} `yaml:",inline"` | ||
} `yaml:"ebpf,omitempty"` | ||
Driver *struct { | ||
Kind *string `yaml:"kind,omitempty"` | ||
} `yaml:"driver,omitempty"` | ||
Rest map[string]interface{} `yaml:",inline"` | ||
} `yaml:"falco,omitempty"` | ||
Rest map[string]interface{} `yaml:",inline"` | ||
} |