Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco setup is broken for GKE 1.18 #2

Closed
ramshazar opened this issue May 14, 2021 · 1 comment
Closed

Falco setup is broken for GKE 1.18 #2

ramshazar opened this issue May 14, 2021 · 1 comment

Comments

@ramshazar
Copy link

Hi folks,

On May 4th 2021 Google updated the default version of the stable channel of GKE to version 1.18.17-gke.100.

This breaks the setup of falco as described in "Scenario 1 Defense"

`kubectl logs -n falco $(kubectl get pod -n falco -l app=falco -o=name) -f

  • Setting up /usr/src links from host
  • Mounting debugfs
    Found kernel config at /proc/config.gz
  • COS detected (build 13310.1209.12), using cos kernel headers...
  • Downloading https://storage.googleapis.com/cos-tools/13310.1209.12/kernel-headers.tgz
  • Extracting kernel sources
  • Configuring kernel
  • Trying to compile BPF probe falco-probe-bpf (falco-probe-bpf-0.17.1-x86_64-5.4.89+-6735ed26366864a54a2aaf3bbad46268.o)
    In file included from /usr/src/falco-0.17.1/bpf/probe.c:13:
    In file included from ./include/linux/sched.h:14:
    In file included from ./include/linux/pid.h:5:
    In file included from ./include/linux/rculist.h:11:
    In file included from ./include/linux/rcupdate.h:26:
    In file included from ./include/linux/irqflags.h:16:
    In file included from ./arch/x86/include/asm/irqflags.h:9:
    In file included from ./arch/x86/include/asm/nospec-branch.h:6:
    In file included from ./include/linux/static_key.h:1:
    ./include/linux/jump_label.h:278:2: error: expected '(' after 'asm'
    STATIC_KEY_CHECK_USE(key);
    ^
    ./include/linux/jump_label.h:81:35: note: expanded from macro 'STATIC_KEY_CHECK_USE'
    #define STATIC_KEY_CHECK_USE(key) WARN(!static_key_initialized,
    ^
    ./include/asm-generic/bug.h:124:3: note: expanded from macro 'WARN'
    __WARN_printf(TAINT_WARN, format);
    ^
    ./include/asm-generic/bug.h:93:3: note: expanded from macro '__WARN_printf'
    __WARN_FLAGS(BUGFLAG_NO_CUT_HERE | BUGFLAG_TAINT(taint));
    ^
    ./arch/x86/include/asm/bug.h:79:2: note: expanded from macro '__WARN_FLAGS'
    _BUG_FLAGS(ASM_UD2, BUGFLAG_WARNING|(flags));
    ^
    ./arch/x86/include/asm/bug.h:35:2: note: expanded from macro '_BUG_FLAGS'
    asm_inline volatile("1:\t" ins "\n"
    ^
    ./include/linux/compiler_types.h:210:24: note: expanded from macro 'asm_inline'`

If I create a cluster with '--cluster-version="1.17.17-gke.3700" --node-version="1.17.17-gke.3700"' instead of '--release-channel "stable"' the setup still works.
I will try to find out what causes the problem here and to create a PR for it, but I am unsure when I will have the time to do so.
I opened the issue to potentially let others know that they are not alone.

Workaround:
Edit setup.sh and use '--cluster-version="1.17.17-gke.3700" --node-version="1.17.17-gke.3700"' instead of '--release-channel "stable"'.
@ramshazar
Copy link
Author

This issue has been fixed by @bgeesaman with this commit
securekubernetes/securekubernetes@a357c17
This issue can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ramshazar @bgeesaman