Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rules_file/rules_files not being respected #729

Closed
kimberleyhallifax opened this issue Aug 12, 2024 · 0 comments
Closed

rules_file/rules_files not being respected #729

kimberleyhallifax opened this issue Aug 12, 2024 · 0 comments
Labels
kind/bug Something isn't working

Comments

@kimberleyhallifax
Copy link

Description

I am attempting to include additional rule files including the sandbox and incubating rules. I'm doing this in a Helm chart using the following documentation here to add the following config:

Screenshot 2024-08-09 at 5 42 32 PM

But my config is not being respected.

How to reproduce it

Here is my Chart.yaml:

apiVersion: v2
description: Intrusion detection using Falco
name: falco
version: 1.1.7
dependencies:
  - name: falco
    version: 4.7.0
    repository: https://falcosecurity.github.io/charts

Here is my values.yaml file:

---
falco:
  falco:
    rules_file:
      - /etc/falco/falco_rules.yaml
      - /etc/falco/falco-incubating_rules.yaml
      - /etc/falco/falco-sandbox_rules.yaml
      - /etc/falco/k8s_audit_rules.yaml
      - /etc/falco/rules.d

  falcoctl:
    config:
      allowed_types: ["rulesfile"]
      artifact:
        install:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]
        follow:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]

I have also tried this with falco Helm chart version 4.7.2 and with rules_files and that did not work either.

Expected behaviour

I expect the falco-incubating_rules.yaml, falco-sandbox_rules.yaml and k8s_audit_rules.yaml rule files to load in my pod, in addition to the default falco_rules.yaml. However, only falco_rules.yaml loads.

Here are my kubernetes pod logs to confirm that only falco_rules.yaml is being loaded:

Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falco-driver-loader (init), falcoctl-artifact-install (init)
Fri Aug  9 02:15:21 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Fri Aug  9 02:15:21 2024: Falco version: 0.38.1 (x86_64)
Fri Aug  9 02:15:21 2024: Falco initialized with configuration files:
Fri Aug  9 02:15:21 2024:    /etc/falco/falco.yaml
Fri Aug  9 02:15:21 2024: System info: Linux version 5.10.219-208.866.amzn2.x86_64 (mockbuild@ip-10-0-35-201) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) falcosecurity/rules#1 SMP Tue Jun 18 14:00:06 UTC 2024
Fri Aug  9 02:15:21 2024: Loading rules from file /etc/falco/falco_rules.yaml

Environment

  • Falco version:

4.7.0 and 4.7.2

  • OS:

MacOS M1

  • Kernel:

Darwin VGW0681 23.6.0 Darwin Kernel Version 23.6.0: Fri Jul 5 17:56:41 PDT 2024; root:xnu-10063.141.1~2/RELEASE_ARM64_T6000 arm64

  • Installation method:

Kubernetes Helm
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kimberleyhallifax