-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update(docs): add more details to kubernetes readme #96
Conversation
a77c640
to
d2b5cec
Compare
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
d2b5cec
to
b2336d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
LGTM and just left two comments (nothing blocking for now).
|
||
For additional guidance on using Falco in Kubernetes or benchmarking within a testbed, consider exploring the repository at https://github.com/falcosecurity/cncf-green-review-testing. Please note that the repository primarily focuses on testbed benchmarking, and as a result, the setup might not be best for real-world use. | ||
|
||
__NOTE__: If you're working with [minikube](https://minikube.sigs.k8s.io/docs/start/) locally, bear in mind that specific mount setups might be necessary. For instance, running `minikube start --mount --mount-string="/usr/src:/usr/src" --driver=docker` ensures that the `driver-loader` can access `/usr/src/kernels/` if the kernel driver (`kmod` or `ebpf`) is built on-the-fly. Running Falco with `--modern-bpf` does not require building a driver because it is already bundled within the userspace binary. This capability is enabled by the newer CORE (Compile Once - Run Everywhere) BPF feature and works only on more recent kernels (>= 5.8). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This page https://falco.org/docs/install-operate/running/#docker may help users check which mounts are required, depending on the chosen setup.
### What's Included in the `falco` Deployment? | ||
|
||
**initContainers** | ||
- `falco-driver-loader`: Downloads the kernel driver or attempts to build it on-the-fly. | ||
- `falcoctl-artifact-install`: Downloads default rules and installs falcoctl along with other artifacts like plugins. | ||
|
||
|
||
**containers** | ||
- `falco`: Executes the Falco binary. | ||
- `falcoctl-artifact-follow`: Utilizes falcoctl's functionality to watch for updated rules. | ||
|
||
The template daemonset setup does not handle the method of extracting Falco logs from the container to their final destination (such as a data lake or SIEM). You can explore using tools like `falco-exporter`, `falcosidekick`, or create custom solutions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note for the future: this may slightly change a bit in Falco 0.37 since the porting of the driver loader into falcoctl cc @alacuku @Andreagit97 @LucaGuerra
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM label has been added. Git tree hash: 36b07d78b0100797bf4da90152a939290dd784b7
|
What type of PR is this?
/kind documentation
Any specific area of the project related to this PR?
What this PR does / why we need it:
Update docs for Kubernetes deployment to provide more details and add a note around what to keep in mind when testing this with
minikube
as I experienced some hiccups there.@leogr @maxgio92
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: