update(falco/driver)!: use the same names for drivers as falco

Please see: falcosecurity/falco#2413. Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>
alacuku · Jan 11, 2024 · 35be618 · 35be618
1 parent 131fcca
commit 35be618
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 201 deletions.
diff --git a/charts/falco/templates/_helpers.tpl b/charts/falco/templates/_helpers.tpl
@@ -185,7 +185,7 @@ we just disable the sycall source.
 */}}
 {{- define "falco.configSyscallSource" -}}
 {{- $userspaceDisabled := true -}}
-{{- $gvisorDisabled := (not .Values.gvisor.enabled) -}}
+{{- $gvisorDisabled := (ne .Values.driver.kind  "gvisor") -}}
 {{- $driverDisabled :=  (not .Values.driver.enabled) -}}
 {{- if or (has "-u" .Values.extra.args) (has "--userspace" .Values.extra.args) -}}
 {{- $userspaceDisabled = false -}}
@@ -214,8 +214,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
       set -o nounset
       set -o pipefail
 
-      root={{ .Values.gvisor.runsc.root }}
-      config={{ .Values.gvisor.runsc.config }}
+      root={{ .Values.driver.gvisor.runsc.root }}
+      config={{ .Values.driver.gvisor.runsc.config }}
 
       echo "* Configuring Falco+gVisor integration...".
       # Check if gVisor is configured on the node.
@@ -240,12 +240,12 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
       echo "* Falco+gVisor correctly configured."
       exit 0
   volumeMounts:
-    - mountPath: /host{{ .Values.gvisor.runsc.path }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.path }}
       name: runsc-path
       readOnly: true
-    - mountPath: /host{{ .Values.gvisor.runsc.root }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
       name: runsc-root
-    - mountPath: /host{{ .Values.gvisor.runsc.config }}
+    - mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
       name: runsc-config
     - mountPath: /gvisor-config
       name: falco-gvisor-config
@@ -370,4 +370,23 @@ be temporary and will stay here until we move this logic to the falcoctl tool.
 {{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}}
 {{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}}
 {{- end -}}
+{{- end -}}
+
+{{- define "falco.engineConfiguration" -}}
+{{- if .Values.driver.enabled}}
+{{- if or (eq .Values.driver.kind "kmod") (eq .Values.driver.kind "module") -}}
+{{- $kmodConfig := dict "kind" "kmod" "kmod" (dict "buf_size_preset" .Values.driver.kmod.bufSizePreset "drop_failed_exit" .Values.driver.kmod.dropFailedExit) -}}
+{{- $_ := set .Values.falco "engine" $kmodConfig -}}
+{{- else if eq .Values.driver.kind "ebpf" -}}
+{{- $ebpfConfig := dict "kind" "ebpf" "ebpf" (dict "buf_size_preset" .Values.driver.ebpf.bufSizePreset "drop_failed_exit" .Values.driver.ebpf.dropFailedExit "probe" .Values.driver.ebpf.path) -}}
+{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
+{{- else if or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf") -}}
+{{- $ebpfConfig := dict "kind" "modern_ebpf" "modern_ebpf" (dict "buf_size_preset" .Values.driver.modernEbpf.bufSizePreset "drop_failed_exit" .Values.driver.modernEbpf.dropFailedExit "cpus_for_each_buffer" .Values.driver.modernEbpf.cpusForEachBuffer) -}}
+{{- $_ := set .Values.falco "engine" $ebpfConfig -}}
+{{- else if eq .Values.driver.kind "gvisor" -}}
+{{- $root := printf "/host%s/k8s.io" .Values.driver.gvisor.runsc.root -}}
+{{- $gvisorConfig := dict "kind" "gvisor" "gvisor" (dict "config" "/gvisor/config/pod-init.json" "root" $root) -}}
+{{- $_ := set .Values.falco "engine" $gvisorConfig -}}
+{{- end -}}
+{{- end -}}
 {{- end -}}
diff --git a/charts/falco/templates/configmap.yaml b/charts/falco/templates/configmap.yaml
@@ -9,4 +9,5 @@ data:
   falco.yaml: |-
     {{- include "falco.falcosidekickConfig" . }}
     {{- include "k8smeta.configuration" . -}}
+    {{- include "falco.engineConfiguration" . -}}
     {{- toYaml .Values.falco | nindent 4 }}
diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl
@@ -45,7 +45,7 @@ spec:
   imagePullSecrets: 
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if .Values.gvisor.enabled }}
+  {{- if eq .Values.driver.kind "gvisor" }}
   hostNetwork: true
   hostPID: true
   {{- end }}
@@ -59,15 +59,6 @@ spec:
         {{- include "falco.securityContext" . | nindent 8 }}
       args:
         - /usr/bin/falco
-        {{- if and .Values.driver.enabled (eq .Values.driver.kind "modern-bpf") }}
-        - --modern-bpf
-        {{- end }}
-        {{- if .Values.gvisor.enabled }}
-        - --gvisor-config
-        - /gvisor-config/pod-init.json
-        - --gvisor-root
-        - /host{{ .Values.gvisor.runsc.root }}/k8s.io
-        {{- end }}
         {{- include "falco.configSyscallSource" . | indent 8 }}
         {{- with .Values.collectors }}
         {{- if .enabled }}
@@ -151,7 +142,7 @@ spec:
           name: etc-fs
           readOnly: true
         {{- end }}
-        {{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
+        {{- if and .Values.driver.enabled (eq .Values.driver.kind "kmod") }}
         - mountPath: /host/dev
           name: dev-fs
           readOnly: true
@@ -199,13 +190,13 @@ spec:
         {{- with .Values.mounts.volumeMounts }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        {{- if .Values.gvisor.enabled }}
+        {{- if eq .Values.driver.kind "gvisor" }}
         - mountPath: /usr/local/bin/runsc
           name: runsc-path
           readOnly: true
-        - mountPath: /host{{ .Values.gvisor.runsc.root }}
+        - mountPath: /host{{ .Values.driver.gvisor.runsc.root }}
           name: runsc-root
-        - mountPath: /host{{ .Values.gvisor.runsc.config }}
+        - mountPath: /host{{ .Values.driver.gvisor.runsc.config }}
           name: runsc-config
         - mountPath: /gvisor-config
           name: falco-gvisor-config
@@ -217,10 +208,10 @@ spec:
   {{- with .Values.extra.initContainers }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
-  {{- if and .Values.gvisor.enabled }}
+  {{- if eq .Values.driver.kind "gvisor" }}
   {{- include "falco.gvisor.initContainer" . | nindent 4 }}
   {{- end }}
-  {{- if and .Values.driver.enabled (ne .Values.driver.kind "modern-bpf") }}
+  {{- if and .Values.driver.enabled (and (ne .Values.driver.kind "modern_ebpf") (ne .Values.driver.kind "gvisor")) }}
   {{- if.Values.driver.loader.enabled }}
     {{- include "falco.driverLoader.initContainer" . | nindent 4 }}
   {{- end }}
@@ -251,7 +242,7 @@ spec:
       hostPath:
         path: /etc
     {{- end }}
-    {{- if and .Values.driver.enabled (eq .Values.driver.kind "module") }}
+    {{- if and .Values.driver.enabled (eq .Values.driver.kind "kmod") }}
     - name: dev-fs
       hostPath:
         path: /dev
@@ -288,17 +279,17 @@ spec:
       hostPath:
         path: /proc
     {{- end }}
-    {{- if .Values.gvisor.enabled }}
+    {{- if eq .Values.driver.kind "gvisor" }}
     - name: runsc-path
       hostPath:
-        path: {{ .Values.gvisor.runsc.path }}/runsc
+        path: {{ .Values.driver.gvisor.runsc.path }}/runsc
         type: File
     - name: runsc-root
       hostPath:
-        path: {{ .Values.gvisor.runsc.root }}
+        path: {{ .Values.driver.gvisor.runsc.root }}
     - name: runsc-config
       hostPath:
-        path: {{ .Values.gvisor.runsc.config }}
+        path: {{ .Values.driver.gvisor.runsc.config }}
         type: File
     - name: falco-gvisor-config
       emptyDir: {}
@@ -348,18 +339,21 @@ spec:
 - name: {{ .Chart.Name }}-driver-loader
   image: {{ include "falco.driverLoader.image" . }}
   imagePullPolicy: {{ .Values.driver.loader.initContainer.image.pullPolicy }}
-  {{- with .Values.driver.loader.initContainer.args }}
   args:
+  {{- with .Values.driver.loader.initContainer.args }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+  {{- if eq .Values.driver.kind "ebpf" }}
+    - ebpf
+   {{- end }}
   {{- with .Values.driver.loader.initContainer.resources }}
   resources:
     {{- toYaml . | nindent 4 }}
   {{- end }}
   securityContext:
   {{- if .Values.driver.loader.initContainer.securityContext }}
     {{- toYaml .Values.driver.loader.initContainer.securityContext | nindent 4 }}
-  {{- else if eq .Values.driver.kind "module" }}
+  {{- else if eq .Values.driver.kind "kmod" }}
     privileged: true
   {{- end }}
   volumeMounts:
@@ -392,7 +386,7 @@ spec:
 {{- define "falco.securityContext" -}}
 {{- $securityContext := dict -}}
 {{- if .Values.driver.enabled -}}
-  {{- if eq .Values.driver.kind "module" -}}
+  {{- if eq .Values.driver.kind "kmod" -}}
     {{- $securityContext := set $securityContext "privileged" true -}}
   {{- end -}}
   {{- if eq .Values.driver.kind "ebpf" -}}
@@ -402,8 +396,8 @@ spec:
       {{- $securityContext := set $securityContext "privileged" true -}}
     {{- end -}}
   {{- end -}}
-  {{- if eq .Values.driver.kind "modern-bpf" -}}
-    {{- if .Values.driver.modern_bpf.leastPrivileged -}}
+  {{- if eq .Values.driver.kind "modern_ebpf" -}}
+    {{- if .Values.driver.modernEbpf.leastPrivileged -}}
       {{- $securityContext := set $securityContext "capabilities" (dict "add" (list "BPF" "SYS_RESOURCE" "PERFMON" "SYS_PTRACE")) -}}
     {{- else -}}
       {{- $securityContext := set $securityContext "privileged" true -}}