-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate Falco's chart integrations in favor of falcosidekick #123
Comments
I greatly agree, we can better support these kinds of things in the sidekick. I'd even say we should default the http output option to |
I even thought about integrating falcosidekick in falco's chart, as a dependency, what do you think about? |
I'm not sure. I would like a single entry point for users. However I feel that bloated code and tons of options doesn't serve the users well. Separation is good, however Helm doesn't seem to have the best tooling to support collections of charts working together. I found these two things: Neither of which really looks all that great. It does seem like we could use
inside the main Falco chart to turn on http output to port 2801. That might be confusing for the users if http output is disabled in their values.yaml but enabled after they apply the chart. I'm not against folding the sidekick chart into the main falco chart, I just worry that we're replacing one extension with another, and that in the future we'll probably be shy to change defaults in the falco chart and more willing to iterate and be disruptive to users in a separate chart. |
I agree. I just wondered if we could just enable the import of falcosidekick"s chart with a boolean, but it doesn't seem possible with helm. When all will be ready in falcosidekick, its chart and this. I will write the relative documentation. |
For After implementation of |
Hey I would like to introduce a deprecation notice in the Falco chart right now. WDYT? |
@leogr It could be add in |
Update: |
Hello everyone, is it possible to introduce a readiness probe in falco to check that falcosidekick is available (when enabled ofc ) something like this maybe :
I think this should be handled from falco side whenever a http output enabled a readiness probe should be added I mean not only for falcosidekick isn't ? |
Hi @AbirHamzi, For me, it's not the duty of In kubernetes, livenessProbe:
httpGet:
path: /ping
port: http
initialDelaySeconds: 10
periodSeconds: 5
readinessProbe:
httpGet:
path: /ping
port: http
initialDelaySeconds: 10
periodSeconds: 5 And when you set in httpOutput:
enabled: true
url: "http://falcosidekick:2801/" You use a |
@Issif okay if you see so, but just to clarify my point of view, I meant that from falco side if we enable the http output (for falcosidekick or any other server) we may set unreachable url by mistake (I did that :() we can see that in falco logs but I thought it's better to introduce it as readiness probe to save debugging time and we read values from values.yaml like following:
|
I understand your point, and I agree the current solution needs to be improved, but I see an issue using the K8s probes. Falco could be restarted if the probe failed, and I don't believe that would be good. However, I still think we have to find a better way to inform the user when an output channel is misconfigured or is not working. |
@leogr yes I see what you mean, one last thing is it possible to keep the readiness probe and we set its |
It's hard to assume a default value for that a priori, IMHO. I'd rather leave open the ability to configure custom probes so that users may choose on a case-by-case basis. |
Motivation
Falco's chart comes with various thirdy-party integrations that seems to be not maintained anymore.
Moreover, the current implementation of those integrations relies on several docker images that live outside the falcosecurity org:
charts/falco/templates/daemonset.yaml
Line 147 in 524dcbc
charts/falco/templates/daemonset.yaml
Line 156 in 524dcbc
charts/falco/templates/daemonset.yaml
Line 181 in 524dcbc
That makes Falco's chart hard to maintain Falco's chart too (here is an example).
Finally, falcosidekick (that's actively maintained, lives inside the falcosecurity org, and its chart is already inside this repository) already provides some of those integrations (missing ones are coming soon).
Feature
Remove the following integrations from the Falco's chart:
gcscc
(i.e., Google Cloud Security Command Center)natsOutput
snsOutput
pubsubOutput
(i.e., Google Cloud Pub/Sub)Finally, document how Falco's chart can integrate with those services by using falcosidekick's.
Alternatives
Do nothing. But sooner or later the current integrations will not work anymore.
Additional context
Service supported by falcosidekick:
Slack channel discussion 👇
https://kubernetes.slack.com/archives/CMWH3EH32/p1602690485207200
cc @Issif @nibalizer
The text was updated successfully, but these errors were encountered: