Plugin k8smeta warning after creating Falco Helm chart with Kubernetes collector enabled

[jfcmartins]

Plugin k8smeta warning after creating Falco Helm chart with Kubernetes collector enabled

When I create Falco Helm chart with Kubernetes k8smeta collector, it displays the following warning:

WARNING:
It seems you are loading the following plugins [k8smeta], please make sure to install them by adding the correct reference to falcoctl.config.artifact.install.refs: [falco-rules:3 ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0]

How to reproduce it

Create Falco Helm chart values file:

values.yaml

rbac:
  create: true

falco:
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/rules.d

  priority: info
  syscall_event_drops:
    actions:
      - log

  grpc:
    enabled: true
  grpc_output:
    enabled: true

  load_plugins: []

driver:
  enabled: true
  kind: modern_ebpf
  modernEbpf:
    bufSizePreset: 5

collectors:
  enabled: true
  kubernetes:
    enabled: true

controller:
  kind: daemonset

falcosidekick:
  enabled: true
  config:
    debug: true
    slack:
      outputformat: "fields"
      webhookurl: "<redacted>"

Then apply the Helm chart:

helm upgrade -i falco falcosecurity/falco \
  -f values.yaml \
  --version 4.4.0

Expected behaviour

Helm chart warning shouldn't appear for this use case.

Screenshots

Environment

• Falco version: 0.38.0
• System info: Linux version 5.10.198-187.748.amzn2.x86_64(GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1)
• Cloud provider or hardware configuration: AWS EKS
• OS: Debian GNU/Linux 12 (bookworm)
• Kernel: Linux falco-gs4rr SMP Tue Oct 24 19:49:54 UTC 2023 x86_64 GNU/Linux
• Installation method: Kubernetes, Helm

Am I missing something? I really appreciate any help you can provide.

[alacuku]

Hi @jfcmartins, usually the plugins require two steps to be configured in falco:

1. add the reference in the falcoctl section to download the plugin artifact;
2. add the plugin to the falco configuration;
   Sometimes one of the steps could not be performed hence the warning is there to warn that some plugins have been configured in falco, and the user need to configure them in the falcoctl section.

In the case of the k8s-metacollector + k8smeta plugin the configuration is done by the chart itself so you're right that it could be misleading.

A better way could be to show the warning only when one of the two steps described above is not performed.

[jfcmartins]

Hey @alacuku 👋 thanks for the help. That's what I thought.

What I still don't understand is why this warning appears in the first place, since falco.load_plugins is an empty list on values.yaml https://github.com/falcosecurity/charts/blob/falco-4.4.0/charts/falco/templates/NOTES.txt#L42

[alacuku]

When setting collectors.kubernetes.enabled=true the following helper (

charts/charts/falco/templates/_helpers.tpl

Lines 324 to 373 in addf0d3

	{{/*
	Build configuration for k8smeta plugin and update the relevant variables.
	* The configuration that needs to be built up is the initconfig section:
	init_config:
	collectorPort: 0
	collectorHostname: ""
	nodeName: ""
	The falco chart exposes this configuriotino through two variable:
	* collectors.kubenetetes.collectorHostname;
	* collectors.kubernetes.collectorPort;
	If those two variable are not set, then we take those values from the k8smetacollector subchart.
	The hostname is built using the name of the service that exposes the collector endpoints and the
	port is directly taken form the service's port that exposes the gRPC endpoint.
	We reuse the helpers from the k8smetacollector subchart, by passing down the variables. There is a
	hardcoded values that is the chart name for the k8s-metacollector chart.
	* The falcoctl configuration is updated to allow plugin artifacts to be installed. The refs in the install
	section are updated by adding the reference for the k8s meta plugin that needs to be installed.
	NOTE: It seems that the named templates run during the validation process. And then again during the
	render fase. In our case we are setting global variable that persist during the various phases.
	We need to make the helper idempotent.
	*/}}
	{{- define "k8smeta.configuration" -}}
	{{- if and .Values.collectors.kubernetes.enabled .Values.driver.enabled -}}
	{{- $hostname := "" -}}
	{{- if .Values.collectors.kubernetes.collectorHostname -}}
	{{- $hostname = .Values.collectors.kubernetes.collectorHostname -}}
	{{- else -}}
	{{- $collectorContext := (dict "Release" .Release "Values" (index .Values "k8s-metacollector") "Chart" (dict "Name" "k8s-metacollector")) -}}
	{{- $hostname = printf "%s.%s.svc" (include "k8s-metacollector.fullname" $collectorContext) (include "k8s-metacollector.namespace" $collectorContext) -}}
	{{- end -}}
	{{- $hasConfig := false -}}
	{{- range .Values.falco.plugins -}}
	{{- if eq (get . "name") "k8smeta" -}}
	{{ $hasConfig = true -}}
	{{- end -}}
	{{- end -}}
	{{- if not $hasConfig -}}
	{{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}}
	{{- $listenPort = int $listenPort -}}
	{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}") -}}
	{{- $newConfig := append .Values.falco.plugins $pluginConfig -}}
	{{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}}
	{{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}}
	{{- $_ = set .Values.falco "load_plugins" ($loadedPlugins | uniq) -}}
	{{- end -}}
	{{- $_ := set .Values.falcoctl.config.artifact.install "refs" ((append .Values.falcoctl.config.artifact.install.refs .Values.collectors.kubernetes.pluginRef) | uniq)}}
	{{- $_ = set .Values.falcoctl.config.artifact "allowedTypes" ((append .Values.falcoctl.config.artifact.allowedTypes "plugin") | uniq)}}
	{{- end -}}
	{{- end -}}

) takes care to configure the k8smeta plugin:

1. add the k8smeta plugin's reference to the falcoctl configuration;
2. add the k8smeta plugin's configuration in the falco's configuration;
3. add the k8smeta plugin to the falco.laod_plugins list.

To inspect the templates generated at install time, use the helm template with your values.yaml file.

[jfcmartins]

Thanks @alacuku! Now it makes sense

[leogr]

I guess this issue has been addressed by Aldo explanation, so
/close

Feel free to reopen it eventually.

[poiana]

@leogr: Closing this issue.

In response to this:

I guess this issue has been addressed by Aldo explanation, so
/close

Feel free to reopen it eventually.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.