Try Falco on Kubernetes - k3d instead of k3s directly in quickstart on kubernetes

[gsfd2000]

/area documentation
https://falco.org/docs/getting-started/falco-kubernetes-quickstart/

What would you like to be added:
I dont success in getting this running with k3d instead of k3s,
using v1.26.2-k3s1 k3d cluster,

using helm chart, only parameter applied: kind.driver: ebpf
using virtualbox bento/ubuntu-22.04 as in example
always issue that ebpf probe cannot be generated due to missing target identifier? Does it get lost due to the docker layer on top of the VM? pls create also a scenario with k3d working, that would be awesome

error:
vagrant@b-ubuntu-08202023:~$ kubectl logs falco-bmsgr -n falco falco-driver-loader

• Setting up /usr/src links from host
• Running falco-driver-loader for: falco version=0.35.1, driver version=5.0.1+driver, arch=x86_64, kernel release=5.15.0-79-generic, kernel version=86
• Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
• Mounting debugfs
  mount: /sys/kernel/debug: permission denied.
• Filename 'falco__5.15.0-79-generic_86.o' is composed of:

• driver name: falco
• target identifier:
• kernel release: 5.15.0-79-generic
• kernel version: 86

• Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/5.0.1%2Bdriver/x86_64/falco__5.15.0-79-generic_86.o
  curl: (22) The requested URL returned error: 404
  Unable to find a prebuilt falco eBPF probe
• Trying to compile the eBPF probe (falco__5.15.0-79-generic_86.o)
  expr: syntax error: unexpected argument '1'
  make[1]: *** /lib/modules/5.15.0-79-generic/build: No such file or directory. Stop.
  make: *** [Makefile:38: all] Error 2
  mv: cannot stat '/usr/src/falco-5.0.1+driver/bpf/probe.o': No such file or directory
  Unable to load the falco eBPF probe

Why is this needed:
would be great to have the scenario running on k3d instead of k3s, gives more flexibiltiy and speed for testing different scenarios on one vm

Thx

[gsfd2000]

anyone any idea how to get falco working easily on virtualbox with ubuntu and then using k3d? Would really be helpful to understand what needs to be changed in configuration to get falco working on k3d test clusters.

[mikegcoleman]

@gsfd2000 The quickstart is not meant to be a comprehensive guide to getting Falco running on Kubernetes, so we only chose one platform that we know that folks can use for Windows, Linux, and Mac.

Because of this, providing instructions on K3D and the eBPF probe are out of scope for the Quickstart.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

@gsfd2000 sorry for the late answer, actually yes, there is an easy way to run Falco on K3D. I tried the following:

1. Install K3D using the official script https://k3d.io/v5.6.0/#install-current-latest-release. More in detail I used K3D 5.6.0

   wget -q -O - https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.6.0 bash
   

2. Create a simple K3D cluster k3d cluster create mycluster

   ❯ kubectl get nodes -o wide
   NAME                     STATUS   ROLES                  AGE   VERSION        INTERNAL-IP   EXTERNAL-IP   OS-IMAGE   KERNEL-VERSION     CONTAINER-RUNTIME
   k3d-mycluster-server-0   Ready    control-plane,master   9m    v1.27.4+k3s1   172.20.0.2    <none>        K3s dev    6.2.0-39-generic   containerd://1.7.1-k3s1
   

3. Deploy Falco 0.36.2 with the latest helm chart, using the following params

    helm install falco falcosecurity/falco \
       --set driver.kind=modern-bpf \
       --set tty=true \

As you can see, you need to use the modern-bpf driver instead of the legacy one. The only requirement is the kernel version of the underlying machine used to deploy the K3D cluster, in my example I used Ubuntu 22.04 with kernel 6.2.0-39-generic but every kernel version >=5.8 should be enough!

@mikegcoleman @pmusa K3D should be supported out of the box with the modern bpf, it really depends on the underlying running machine. Maybe we should use the modern bpf as the default deployment method and just highlight that all scenarios in docker like K3D, KinD, ... are supported out of the box with the only constraint of a kernel version >= 5.8

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.