wip: add helm chart #15
Conversation
* [stable/falco] Add Falco chart * Fix indentation and other stuff reported by CI * Add appVersion to Chart.yaml * Specify container resources * Allow to load external Falco rules * Move GCSCC integrations to a top level integrations section We can correlate falco.* keys for falco related settings, and refer them in Falco Wiki * Rename deployment to fakeEventGenerator First one is too generic * Add OWNERS file * Separate rbac and serviceAccount Follow RBAC best practices: https://github.com/kubernetes/helm/blob/master/docs/chart_best_practices/rbac.md * Use falco.serviceAccount name template for cluster role binding * Fixes required from reviewer * Allow passing rules in an external file instead of editing configMap by hand * Remove quotes from Chart version I'm not sure if this break lint stage in CircleCI * Update Chart.yaml
* [stable/falco] Fix some small typos Fix some small typos * Add version 0.1.1 Add version 0.1.1
* Update value of bufferedOutputs in configmap documentation * Add NATS output integration for Sysdig Falco * Add a change log
* Add eBPF support for Falco in Helm Chart * Add a more fine grained settings for eBPF stuff
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
* Add Amazon SNS integration This allows Falco to publish alerts to a SNS topic Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Fix build and add entry to the CHANGELOG Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: Diego Lendoiro <diego.lendoiro@gmail.com>
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* use version 0.13.0 instead of latest Signed-off-by: cpanato <ctadeu@gmail.com> * udpate changelog Signed-off-by: cpanato <ctadeu@gmail.com>
* update correct exemple Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * bump chart version Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * update CHANGELOG Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> * update space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> �:q! * remove space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> �:x * space Signed-off-by: Daniel BERUBEN <daniel.beruben@thalesdigital.io> �:x
Signed-off-by: Cameron Attard <cameron.attard@siteminder.com>
* Upgrade to Falco 0.14.0 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Enable eBPF by default on Falco builds Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Allow to specify images from different registries than `docker.io` Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Upgrade Chart version to a minor one because eBPF default value Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Use RollingUpgrade strategy by default Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Provide a sane defaults for resources Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Update CHANGELOG entries Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Add minor / major categorization to changelog Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* Disable ebpf by default This reverts the change made on 0.6.0 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Specify in CHANGELOG that we are reverting the previous change. The vast majority of our users are using the kernel module approach and we can cause some troubles with this change. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Explain WHY we activated the ebpf module by default Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* [stable/falco] Add GCloud PubSub integration * Add GCloud PubSub integration This allows Falco to publish alerts to a PubSub topic Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com> * [stable/falco] Fix values to follow naming conventions Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com> * [stable/falco] Changes requested in the PR - Follow naming conventions - Use only one secret instead of two different ones Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com>
Signed-off-by: Federico Barcelona <fede_rico_94@hotmail.com>
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Instead of hardcoding or relying in DNS, use this method. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* [stable/falco] make the container runtime socket configurable Co-authored-by: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com> * [stable/falco]: update to falco 0.15.0 with cri-o and containerd support Signed-off-by: Lorenzo Fontana <lo@linux.com> Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> Signed-off-by: Lorenzo Fontana <lo@linux.com> * [stable/falco]: update changelog Signed-off-by: Lorenzo Fontana <lo@linux.com> Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com> * [stable/falco]: bump chart release to 0.7.6 Signed-off-by: Lorenzo Fontana <lo@linux.com> Co-Authored-By: Leonardo Di Donato <leodidonato@gmail.com>
* [stable/falco] Upgrade to Falco 0.15.1 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * Reflect values in README Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: Naoki Oketani <okepy.naoki@gmail.com>
* [stable/falco] Fix issues with timezone parameter inclusion. * Add it to values.yaml file * Add the ChangeLog entry Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Upgrade Falco to 0.15.3 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
…ation with Falco (#15020) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
Signed-off-by: Maxime VISONNEAU <maxime.visonneau@gmail.com>
Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
…_event_drops, time_format_iso8601 and httpOutput (#15361) * [stable/falco] Add a parameter to use ISO8601 formatted dates If true, the times displayed in log messages and output messages will be in ISO 8601. By default, times are displayed in the local time zone, as governed by /etc/localtime. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Allow configuration for `syscall_event_drops` in falco.yaml Falco uses a shared buffer between the kernel and userspace to pass system call information. When falco detects that this buffer is full and system calls have been dropped, it can take one or more of the following actions: - "ignore": do nothing. If an empty list is provided, ignore is assumed. - "log": log a CRITICAL message noting that the buffer was full. - "alert": emit a falco alert noting that the buffer was full. - "exit": exit falco with a non-zero rc. The rate at which log/alert messages are emitted is governed by a token bucket. The rate corresponds to one message every 30 seconds with a burst of 10 messages. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Enable httpOutput section from the configmap Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Add CHANGELOG entry for 0.8.0 This was not done in [its own PR](helm/charts#14813 (comment)) Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Bump version and add CHANGELOG entries Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* [stable/falco] Allow audit logging with Falco You can enable it on minikube with the following command: `helm install --name falco --set falco.webserver.enabled=true --set falco.webserver.clusterIP=10.96.0.100 stable/falco` The main problem is that minikube doesn't resolve the service from apiserver, so that you need to specify the clusterIP. https://github.com/falcosecurity/falco/blob/dev/examples/k8s_audit_config/README.md Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Apiserver don't resolve internal services That would be a layering violation so we are going to rely only con clusterIP and that parameter is required if we enable the webserver features. https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#url Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Document values and upgrade chart version This is an 1.0.0 version, which means that Helm chart is feature complete in terms of we provide same functionality that daemonset provides. It's time to celebrate! Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Add a section in README for explaining K8s audit event support Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Write the README in a more actionable way Telling all the history about the Falco implementation of Audit Event rules is a bit useless here. It can be found on the awesome Falco documentation. Here I would like to focus a bit more on chart users and show them how to enable Falco with the audit events feature. Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com> * [stable/falco] Add instructions for choosing the clusterIP address And another option for not recognized resource is that we were using a K8s version previous to v1.13 Signed-off-by: Néstor Salceda <nestor.salceda@sysdig.com>
* Make kernel module dir writable Signed-off-by: Salvatore Mazzarino <dev@mazzarino.cz> * Add CHANGELOG Signed-off-by: Salvatore Mazzarino <dev@mazzarino.cz>
…(#21436) * [stable/falco] add headless service for falco gRPC server Signed-off-by: Leonardo Grasso <me@leonardograsso.com> * [stable/falco] gRPC certificates configuration Signed-off-by: Leonardo Grasso <me@leonardograsso.com> * [stable/falco] Update CHANGELOG.md and bump version Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
* [stable/falco] upgrade agent and rules to 0.21.0 Signed-off-by: Cameron Attard <cameron.attard@siteminder.com> * [stable/falco] rename SYSDIG_BPF_PROBE to FALCO_BPF_PROBE Signed-off-by: Cameron Attard <cameron.attard@siteminder.com>
Signed-off-by: usamaahmadkhan <usama.ahmad.khan@hotmail.com>
…27e8c6a6284c90f' Commands run: (from helm/charts) git subtree split --prefix stable/falco/ git co <resulting sha> git co -b falco_split (from falcosecurity/contrib) git subtree add --prefix integrations/helm/ ../charts falco_split git-subtree-dir: integrations/helm git-subtree-mainline: da65d70 git-subtree-split: 5ef70d4 Signed-off-by: Spencer Krum <nibz@spencerkrum.com>
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@nibalizer: There is not a label identifying the kind of this PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Welcome @nibalizer! It looks like this is your first PR to falcosecurity/contrib 🎉 |
|
/kind wip |
|
This is pulled from https://github.com/helm/charts which is Apache 2.0. License. Re Poiana above: there are six commits it detected without dco signoff. I believe none of these are a cause for concern. Five are from @nestorsalceda and one is extremely trivial. helm/charts#5853 (nestor) |
Then we also need to update the documentation on our website |
|
Sign-off can be also added from other people (just rebase and edit those commits) if @nestorsalceda does not mind :) |
| @@ -0,0 +1,6 @@ | |||
| approvers: | |||
| - bencer | |||
| - nestorsalceda | |||
There was a problem hiding this comment.
It seems @nestorsalceda can't dedicate effort to this atm (sadly) (comment here).
So we should remove him from here, but I strongly think he should be left as a reviewer since he's the author of the Helm.
There was a problem hiding this comment.
Also, in this file we should add other people that expressed the will to maintain and evolve it. Ie., @nibalizer
|
I can incorporate. Are we thinking this goes in |
Not sure. We should also think about how to migrate the current chart from the helm repo to here. Do you have a plan already? |
|
Seems like this should go in the charts repo |
|
Hey - overall this PR looks great - let's get it merged. Can we PR this change to https://github.com/falcosecurity/charts? I just set that repo up and we can begin hosting the charts there. Especially once the unix socket work goes into play :) |
|
Moved to falcosecurity/charts#1 |
This is probably pending discussion in #12 and possibly falco/1184 and #14
Before it does anything it will also need us to make a helm-chart index/repository (static site with a specific file) and a PR into helm/hub to light that up