From 8d33e902f5e3a72b50929f3f5cc5ce9ce424b29d Mon Sep 17 00:00:00 2001 From: Pavan Gunda Date: Tue, 14 Jan 2025 10:43:47 +0100 Subject: [PATCH] apps: upgrade falco helm chart to v4.17.0 with appversion v0.39.2 --- .../upstream/falcosecurity/falco/CHANGELOG.md | 111 + .../upstream/falcosecurity/falco/Chart.lock | 6 +- .../upstream/falcosecurity/falco/Chart.yaml | 6 +- .../falcosecurity/falco/README.gotmpl | 4 +- .../upstream/falcosecurity/falco/README.md | 35 +- .../falco/charts/falcosidekick/CHANGELOG.md | 24 + .../falco/charts/falcosidekick/Chart.yaml | 4 +- .../falco/charts/falcosidekick/README.md | 45 +- .../falcosidekick/templates/configmap-ui.yaml | 46 + .../templates/deployment-ui.yaml | 47 +- .../templates/prometheusrule.yaml | 10 +- .../falcosidekick/templates/secrets-ui.yaml | 8 +- .../falcosidekick/templates/secrets.yaml | 75 +- .../falcosidekick/templates/service-ui.yaml | 4 +- .../falco/charts/falcosidekick/values.yaml | 80 +- .../falco/dashboards/falco-dashboard.json | 2631 +++++++++++++++++ .../falco/templates/_helpers.tpl | 7 +- .../templates/falco-dashboard-grafana.yaml | 22 + .../falco/templates/pod-template.tpl | 28 +- .../falco/templates/service.yaml | 7 + .../falco/templates/serviceMonitor.yaml | 3 + .../falco/tests/unit/chartInfo.go | 34 + .../falco/tests/unit/driverLoader_test.go | 73 + .../tests/unit/grafanaDashboards_test.go | 144 + .../unit/k8smetacollectorDependency_test.go | 89 +- .../falco/tests/unit/metricsConfig_test.go | 51 +- .../tests/unit/serviceMonitorTemplate_test.go | 68 +- .../falco/tests/unit/serviceTemplate_test.go | 178 ++ .../falcosecurity/falco/values-k8saudit.yaml | 5 +- .../falco/values-syscall-k8saudit.yaml | 4 +- .../upstream/falcosecurity/falco/values.yaml | 111 +- helmfile.d/upstream/index.yaml | 2 +- 32 files changed, 3815 insertions(+), 147 deletions(-) create mode 100644 helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/configmap-ui.yaml create mode 100644 helmfile.d/upstream/falcosecurity/falco/dashboards/falco-dashboard.json create mode 100644 helmfile.d/upstream/falcosecurity/falco/templates/falco-dashboard-grafana.yaml create mode 100644 helmfile.d/upstream/falcosecurity/falco/tests/unit/chartInfo.go create mode 100644 helmfile.d/upstream/falcosecurity/falco/tests/unit/grafanaDashboards_test.go create mode 100644 helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceTemplate_test.go diff --git a/helmfile.d/upstream/falcosecurity/falco/CHANGELOG.md b/helmfile.d/upstream/falcosecurity/falco/CHANGELOG.md index 1a8a605d8..9ca813aa4 100644 --- a/helmfile.d/upstream/falcosecurity/falco/CHANGELOG.md +++ b/helmfile.d/upstream/falcosecurity/falco/CHANGELOG.md @@ -3,6 +3,117 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.17.0 + +* update(falco): bump k8saudit version to 0.11 + +## v4.16.2 + +* fix(falco): set dnsPolicy to ClusterFirstWithHostNet when gvisor driver is enabled to prevent DNS lookup failures for cluster-internal services + +## v4.16.1 + +* fix(falco/serviceMonitor): set service label selector +* new(falco/tests): add unit tests for serviceMonitor label selector + +## v4.16.0 + +* bump falcosidekick dependency to v0.9.* to match with future versions + +## v4.15.1 + +* fix: change the url for the concurrent queue classes docs + +## v4.15.0 + +* update(falco): bump falco version to 0.39.2 and falcoctl to 0.10.1 + +## v4.14.2 + +* fix(falco/readme): use `rules_files` instead of deprecated `rules_file` in README config snippet + +## v4.14.1 + +* fix(falco/dashboard): make pod variable independent of triggered rules. CPU and memory are now visible for each + pod, even when no rules have been triggered for that falco instance. + +## v4.14.0 + +* Bump k8smeta plugin to 0.2.1, see: https://github.com/falcosecurity/plugins/releases/tag/plugins%2Fk8smeta%2Fv0.2.1 + +## v4.13.0 + +* Expose new config entries for k8smeta plugin:`verbosity` and `hostProc`. + +## v4.12.0 + +* Set apparmor to `unconfined` (disabled) when `leastPrivileged: true` and (`kind: modern_ebpf` or `kind: ebpf`) + +## v4.11.2 + +* only prints env key if there are env values to be passed on `falcoctl.initContainer` and `falcoctl.sidecar` + +## v4.11.1 + +* add details for the scap drops buffer charts with the dir and drops labels + +## v4.11.0 + +* new(falco): add grafana dashboard for falco + +## v4.10.0 + +* Bump Falco to v0.39.1 + +## v4.9.1 + +* feat(falco): add labels and annotations to the metrics service + +## v4.9.0 + +* Bump Falco to v0.39.0 +* update(falco): add new configuration entries for Falco + This commit adds new config keys introduces in Falco 0.39.0. + Furthermore, updates the unit tests for the latest changes + in the values.yaml. +* cleanup(falco): remove deprecated falco configuration + This commit removes the "output" config key that has + been deprecated in falco. +* update(falco): mount proc filesystem for plugins + The following PR in libs https://github.com/falcosecurity/libs/pull/1969 + introduces a new platform for plugins that requires access to the + proc filesystem. +* fix(falco): update broken link pointing to Falco docs + After the changes made by the following PR to the Falco docs https://github.com/falcosecurity/falco-website/pull/1362 + this commit updates a broken link. + +## v4.8.3 + +* The init container, when driver.kind=auto, automatically generates + a new Falco configuration file and selects the appropriate engine + kind based on the environment where Falco is deployed. + + With this commit, along with falcoctl PR #630, the Helm charts now + support different driver kinds for Falco instances based on the + specific node they are running on. When driver.kind=auto is set, + each Falco instance dynamically selects the most suitable + driver (e.g., ebpf, kmod, modern_ebpf) for the node. + +-------------------------------------------------------+ + | Kubernetes Cluster | + | | + | +-------------------+ +-------------------+ | + | | Node 1 | | Node 2 | | + | | | | | | + | | Falco (ebpf) | | Falco (kmod) | | + | +-------------------+ +-------------------+ | + | | + | +-------------------+ | + | | Node 3 | | + | | | | + | | Falco (modern_ebpf)| | + | +-------------------+ | + +-------------------------------------------------------+ + ## v4.8.2 * fix(falco): correctly mount host filesystems when driver.kind is auto diff --git a/helmfile.d/upstream/falcosecurity/falco/Chart.lock b/helmfile.d/upstream/falcosecurity/falco/Chart.lock index acbbe6eb2..33339581e 100644 --- a/helmfile.d/upstream/falcosecurity/falco/Chart.lock +++ b/helmfile.d/upstream/falcosecurity/falco/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: falcosidekick repository: https://falcosecurity.github.io/charts - version: 0.8.5 + version: 0.9.1 - name: k8s-metacollector repository: https://falcosecurity.github.io/charts version: 0.1.10 -digest: sha256:d73d0fdbe32a9efabcc18d232be2d34bfdb94d11a5226e371fc487abced793c6 -generated: "2024-09-11T11:34:49.177430665Z" +digest: sha256:c5f0af8564b33aa403b93c9ea7ddaaec78ef7ccdef8cd4db79819a8a04b0a8c9 +generated: "2024-12-12T10:54:08.873839271Z" diff --git a/helmfile.d/upstream/falcosecurity/falco/Chart.yaml b/helmfile.d/upstream/falcosecurity/falco/Chart.yaml index 39b68c224..d1892abc7 100644 --- a/helmfile.d/upstream/falcosecurity/falco/Chart.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/Chart.yaml @@ -1,10 +1,10 @@ apiVersion: v2 -appVersion: 0.38.2 +appVersion: 0.39.2 dependencies: - condition: falcosidekick.enabled name: falcosidekick repository: https://falcosecurity.github.io/charts - version: 0.8.* + version: 0.9.* - condition: collectors.kubernetes.enabled name: k8s-metacollector repository: https://falcosecurity.github.io/charts @@ -25,4 +25,4 @@ maintainers: name: falco sources: - https://github.com/falcosecurity/falco -version: 4.8.2 +version: 4.17.0 diff --git a/helmfile.d/upstream/falcosecurity/falco/README.gotmpl b/helmfile.d/upstream/falcosecurity/falco/README.gotmpl index a50c32d0b..d3a471b0d 100644 --- a/helmfile.d/upstream/falcosecurity/falco/README.gotmpl +++ b/helmfile.d/upstream/falcosecurity/falco/README.gotmpl @@ -47,7 +47,7 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo ### Falco, Event Sources and Kubernetes Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). -Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources). #### About Drivers @@ -385,7 +385,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: diff --git a/helmfile.d/upstream/falcosecurity/falco/README.md b/helmfile.d/upstream/falcosecurity/falco/README.md index 92d8c0136..d47e29f30 100644 --- a/helmfile.d/upstream/falcosecurity/falco/README.md +++ b/helmfile.d/upstream/falcosecurity/falco/README.md @@ -47,7 +47,7 @@ The cluster in our example has three nodes, one *control-plane* node and two *wo ### Falco, Event Sources and Kubernetes Starting from Falco 0.31.0 the [new plugin system](https://falco.org/docs/plugins/) is stable and production ready. The **plugin system** can be seen as the next step in the evolution of Falco. Historically, Falco monitored system events from the **kernel** trying to detect malicious behaviors on Linux systems. It also had the capability to process k8s Audit Logs to detect suspicious activities in Kubernetes clusters. Since Falco 0.32.0 all the related code to the k8s Audit Logs in Falco was removed and ported in a [plugin](https://github.com/falcosecurity/plugins/tree/master/plugins/k8saudit). At the time being Falco supports different event sources coming from **plugins** or **drivers** (system events). -Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/third-party/learning/#falco-with-multiple-sources). +Note that **a Falco instance can handle multiple event sources in parallel**. you can deploy Falco leveraging **drivers** for syscall events and at the same time loading **plugins**. A step by step guide on how to deploy Falco with multiple sources can be found [here](https://falco.org/docs/getting-started/learning-environments/#falco-with-multiple-sources). #### About Drivers @@ -383,7 +383,7 @@ services: protocol: TCP falco: - rules_file: + rules_files: - /etc/falco/k8s_audit_rules.yaml - /etc/falco/rules.d plugins: @@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.8.2 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.17.0 and their default values. See [values.yaml](./values.yaml) for full list. ## Values @@ -602,11 +602,11 @@ The following table lists the main configurable parameters of the falco chart v4 | collectors.docker.enabled | bool | `true` | Enable Docker support. | | collectors.docker.socket | string | `"/var/run/docker.sock"` | The path of the Docker daemon socket. | | collectors.enabled | bool | `true` | Enable/disable all the metadata collectors. | -| collectors.kubernetes | object | `{"collectorHostname":"","collectorPort":"","enabled":false,"pluginRef":"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.0"}` | kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 | +| collectors.kubernetes | object | `{"collectorHostname":"","collectorPort":"","enabled":false,"hostProc":"/host","pluginRef":"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1","verbosity":"info"}` | kubernetes holds the configuration for the kubernetes collector. Starting from version 0.37.0 of Falco, the legacy kubernetes client has been removed. A new standalone component named k8s-metacollector and a Falco plugin have been developed to solve the issues that were present in the old implementation. More info here: https://github.com/falcosecurity/falco/issues/2973 | | collectors.kubernetes.collectorHostname | string | `""` | collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override it, make sure to set here the address of the k8s-metacollector. It is used by the k8smeta plugin to connect to the k8s-metacollector. | | collectors.kubernetes.collectorPort | string | `""` | collectorPort designates the port on which the k8s-metacollector gRPC service listens. If not specified the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. It is used by the k8smeta plugin to connect to the k8s-metacollector. | | collectors.kubernetes.enabled | bool | `false` | enabled specifies whether the Kubernetes metadata should be collected using the k8smeta plugin and the k8s-metacollector component. It will deploy the k8s-metacollector external component that fetches Kubernetes metadata and pushes them to Falco instances. For more info see: https://github.com/falcosecurity/k8s-metacollector https://github.com/falcosecurity/charts/tree/master/charts/k8s-metacollector When this option is disabled, Falco falls back to the container annotations to grab the metadata. In such a case, only the ID, name, namespace, labels of the pod will be available. | -| collectors.kubernetes.pluginRef | string | `"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.0"` | pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. | +| collectors.kubernetes.pluginRef | string | `"ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1"` | pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. | | containerSecurityContext | object | `{}` | Set securityContext for the Falco container.For more info see the "falco.securityContext" helper in "pod-template.tpl" | | controller.annotations | object | `{}` | | | controller.daemonset.updateStrategy.type | string | `"RollingUpdate"` | Perform rolling updates by default in the DaemonSet agent ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ | @@ -646,6 +646,7 @@ The following table lists the main configurable parameters of the falco chart v4 | extra.args | list | `[]` | Extra command-line arguments. | | extra.env | list | `[]` | Extra environment variables that will be pass onto Falco containers. | | extra.initContainers | list | `[]` | Additional initContainers for Falco pods. | +| falco.append_output | list | `[]` | | | falco.base_syscalls | object | `{"custom_set":[],"repair":false}` | - [Suggestions] NOTE: setting `base_syscalls.repair: true` automates the following suggestions for you. These suggestions are subject to change as Falco and its state engine evolve. For execve* events: Some Falco fields for an execve* syscall are retrieved from the associated `clone`, `clone3`, `fork`, `vfork` syscalls when spawning a new process. The `close` syscall is used to purge file descriptors from Falco's internal thread / process cache table and is necessary for rules relating to file descriptors (e.g. open, openat, openat2, socket, connect, accept, accept4 ... and many more) Consider enabling the following syscalls in `base_syscalls.custom_set` for process rules: [clone, clone3, fork, vfork, execve, execveat, close] For networking related events: While you can log `connect` or `accept*` syscalls without the socket syscall, the log will not contain the ip tuples. Additionally, for `listen` and `accept*` syscalls, the `bind` syscall is also necessary. We recommend the following as the minimum set for networking-related rules: [clone, clone3, fork, vfork, execve, execveat, close, socket, bind, getsockopt] Lastly, for tracking the correct `uid`, `gid` or `sid`, `pgid` of a process when the running process opens a file or makes a network connection, consider adding the following to the above recommended syscall sets: ... setresuid, setsid, setuid, setgid, setpgid, setresgid, setsid, capset, chdir, chroot, fchdir ... | | falco.buffered_outputs | bool | `false` | Enabling buffering for the output queue can offer performance optimization, efficient resource usage, and smoother data flow, resulting in a more reliable output mechanism. By default, buffering is disabled (false). | | falco.config_files[0] | string | `"/etc/falco/config.d"` | | @@ -665,6 +666,7 @@ The following table lists the main configurable parameters of the falco chart v4 | falco.http_output.insecure | bool | `false` | Tell Falco to not verify the remote server. | | falco.http_output.keep_alive | bool | `false` | keep_alive whether to keep alive the connection. | | falco.http_output.mtls | bool | `false` | Tell Falco to use mTLS | +| falco.json_include_message_property | bool | `false` | | | falco.json_include_output_property | bool | `true` | When using JSON output in Falco, you have the option to include the "output" property itself in the generated JSON output. The "output" property provides additional information about the purpose of the rule. To reduce the logging volume, it is recommended to turn it off if it's not necessary for your use case. | | falco.json_include_tags_property | bool | `true` | When using JSON output in Falco, you have the option to include the "tags" field of the rules in the generated JSON output. The "tags" field provides additional metadata associated with the rule. To reduce the logging volume, if the tags associated with the rule are not needed for your use case or can be added at a later stage, it is recommended to turn it off. | | falco.json_output | bool | `false` | When enabled, Falco will output alert messages and rules file loading/validation results in JSON format, making it easier for downstream programs to process and consume the data. By default, this option is disabled. | @@ -673,10 +675,9 @@ The following table lists the main configurable parameters of the falco chart v4 | falco.log_level | string | `"info"` | The `log_level` setting determines the minimum log level to include in Falco's logs related to the functioning of the software. This setting is separate from the `priority` field of rules and specifically controls the log level of Falco's operational logging. By specifying a log level, you can control the verbosity of Falco's operational logs. Only logs of a certain severity level or higher will be emitted. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug". | | falco.log_stderr | bool | `true` | Send information logs to stderr. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | | falco.log_syslog | bool | `true` | Send information logs to syslog. Note these are *not* security notification logs! These are just Falco lifecycle (and possibly error) logs. | -| falco.metrics | object | `{"convert_memory_to_mb":true,"enabled":false,"include_empty_values":false,"interval":"1h","kernel_event_counters_enabled":true,"libbpf_stats_enabled":true,"output_rule":true,"resource_utilization_enabled":true,"rules_counters_enabled":true,"state_counters_enabled":true}` | - [Usage] `enabled`: Disabled by default. `interval`: The stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h `output_rule`: To enable seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. `output_file`: Append stats to a `jsonl` file. Use with caution in production as Falco does not automatically rotate the file. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `rules_counters_enabled`: Emit counts for each rule. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `state_counters_enabled`: Emit counters related to Falco's state engine, including added, removed threads or file descriptors (fds), and failed lookup, store, or retrieve actions in relation to Falco's underlying process cache table (threadtable). We also log the number of currently cached containers if applicable. `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as an alternative to `syscall_event_drops`, but with some differences. These counters reflect monotonic values since Falco's start and are exported at a constant stats interval. `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. `include_empty_values`: When the option is set to true, fields with an empty numeric value will be included in the output. However, this rule does not apply to high-level fields such as `n_evts` or `n_drops`; they will always be included in the output even if their value is empty. This option can be beneficial for exploring the data schema and ensuring that fields with empty values are included in the output. todo: prometheus export option todo: syscall_counters_enabled option | +| falco.metrics | object | `{"convert_memory_to_mb":true,"enabled":false,"include_empty_values":false,"interval":"1h","kernel_event_counters_enabled":true,"kernel_event_counters_per_cpu_enabled":false,"libbpf_stats_enabled":true,"output_rule":true,"resource_utilization_enabled":true,"rules_counters_enabled":true,"state_counters_enabled":true}` | - [Usage] `enabled`: Disabled by default. `interval`: The stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h `output_rule`: To enable seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. `output_file`: Append stats to a `jsonl` file. Use with caution in production as Falco does not automatically rotate the file. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `rules_counters_enabled`: Emit counts for each rule. `resource_utilization_enabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. `state_counters_enabled`: Emit counters related to Falco's state engine, including added, removed threads or file descriptors (fds), and failed lookup, store, or retrieve actions in relation to Falco's underlying process cache table (threadtable). We also log the number of currently cached containers if applicable. `kernel_event_counters_enabled`: Emit kernel side event and drop counters, as an alternative to `syscall_event_drops`, but with some differences. These counters reflect monotonic values since Falco's start and are exported at a constant stats interval. `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters per CPU. Typically used when debugging and not in production. `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. `include_empty_values`: When the option is set to true, fields with an empty numeric value will be included in the output. However, this rule does not apply to high-level fields such as `n_evts` or `n_drops`; they will always be included in the output even if their value is empty. This option can be beneficial for exploring the data schema and ensuring that fields with empty values are included in the output. todo: prometheus export option todo: syscall_counters_enabled option | | falco.output_timeout | int | `2000` | The `output_timeout` parameter specifies the duration, in milliseconds, to wait before considering the deadline exceeded. By default, the timeout is set to 2000ms (2 seconds), meaning that the consumer of Falco outputs can block the Falco output channel for up to 2 seconds without triggering a timeout error. Falco actively monitors the performance of output channels. With this setting the timeout error can be logged, but please note that this requires setting Falco's operational logs `log_level` to a minimum of `notice`. It's important to note that Falco outputs will not be discarded from the output queue. This means that if an output channel becomes blocked indefinitely, it indicates a potential issue that needs to be addressed by the user. | -| falco.outputs | object | `{"max_burst":1000,"rate":0}` | A throttling mechanism, implemented as a token bucket, can be used to control the rate of Falco outputs. Each event source has its own rate limiter, ensuring that alerts from one source do not affect the throttling of others. The following options control the mechanism: - rate: the number of tokens (i.e. right to send a notification) gained per second. When 0, the throttling mechanism is disabled. Defaults to 0. - max_burst: the maximum number of tokens outstanding. Defaults to 1000. For example, setting the rate to 1 allows Falco to send up to 1000 notifications initially, followed by 1 notification per second. The burst capacity is fully restored after 1000 seconds of no activity. Throttling can be useful in various scenarios, such as preventing notification floods, managing system load, controlling event processing, or complying with rate limits imposed by external systems or APIs. It allows for better resource utilization, avoids overwhelming downstream systems, and helps maintain a balanced and controlled flow of notifications. With the default settings, the throttling mechanism is disabled. | -| falco.outputs_queue | object | `{"capacity":0}` | Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter allows you to customize the queue capacity. Please refer to the official documentation: https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. On a healthy system with optimized Falco rules, the queue should not fill up. If it does, it is most likely happening due to the entire event flow being too slow, indicating that the server is under heavy load. `capacity`: the maximum number of items allowed in the queue is determined by this value. Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. In other words, when this configuration is set to 0, the number of allowed items is effectively set to the largest possible long value, disabling this setting. In the case of an unbounded queue, if the available memory on the system is consumed, the Falco process would be OOM killed. When using this option and setting the capacity, the current event would be dropped, and the event loop would continue. This behavior mirrors kernel-side event drops when the buffer between kernel space and user space is full. | +| falco.outputs_queue | object | `{"capacity":0}` | Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter allows you to customize the queue capacity. Please refer to the official documentation: https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. On a healthy system with optimized Falco rules, the queue should not fill up. If it does, it is most likely happening due to the entire event flow being too slow, indicating that the server is under heavy load. `capacity`: the maximum number of items allowed in the queue is determined by this value. Setting the value to 0 (which is the default) is equivalent to keeping the queue unbounded. In other words, when this configuration is set to 0, the number of allowed items is effectively set to the largest possible long value, disabling this setting. In the case of an unbounded queue, if the available memory on the system is consumed, the Falco process would be OOM killed. When using this option and setting the capacity, the current event would be dropped, and the event loop would continue. This behavior mirrors kernel-side event drops when the buffer between kernel space and user space is full. | | falco.plugins | list | `[{"init_config":null,"library_path":"libk8saudit.so","name":"k8saudit","open_params":"http://:9765/k8s-audit"},{"library_path":"libcloudtrail.so","name":"cloudtrail"},{"init_config":"","library_path":"libjson.so","name":"json"}]` | Customize subsettings for each enabled plugin. These settings will only be applied when the corresponding plugin is enabled using the `load_plugins` option. | | falco.priority | string | `"debug"` | Any rule with a priority level more severe than or equal to the specified minimum level will be loaded and run by Falco. This allows you to filter and control the rules based on their severity, ensuring that only rules of a certain priority or higher are active and evaluated by Falco. Supported levels: "emergency", "alert", "critical", "error", "warning", "notice", "info", "debug" | | falco.program_output | object | `{"enabled":false,"keep_alive":false,"program":"jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"}` | Redirect the output to another program or command. Possible additional things you might want to do with program output: - send to a slack webhook: program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX" - logging (alternate method than syslog): program: logger -t falco-test - send over a network connection: program: nc host.example.com 80 If `keep_alive` is set to `true`, the program will be started once and continuously written to, with each output message on its own line. If `keep_alive` is set to `false`, the program will be re-spawned for each output message. Furthermore, the program will be re-spawned if Falco receives the SIGUSR1 signal. | @@ -722,12 +723,20 @@ The following table lists the main configurable parameters of the falco chart v4 | falcoctl.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy. | | falcoctl.image.registry | string | `"docker.io"` | The image registry to pull from. | | falcoctl.image.repository | string | `"falcosecurity/falcoctl"` | The image repository to pull from. | -| falcoctl.image.tag | string | `"0.9.0"` | The image tag to pull. | +| falcoctl.image.tag | string | `"0.10.1"` | The image tag to pull. | | falcosidekick | object | `{"enabled":false,"fullfqdn":false,"listenPort":""}` | For configuration values, see https://github.com/falcosecurity/charts/blob/master/charts/falcosidekick/values.yaml | | falcosidekick.enabled | bool | `false` | Enable falcosidekick deployment. | | falcosidekick.fullfqdn | bool | `false` | Enable usage of full FQDN of falcosidekick service (useful when a Proxy is used). | | falcosidekick.listenPort | string | `""` | Listen port. Default value: 2801 | | fullnameOverride | string | `""` | Same as nameOverride but for the fullname. | +| grafana | object | `{"dashboards":{"configMaps":{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}},"enabled":false}}` | grafana contains the configuration related to grafana. | +| grafana.dashboards | object | `{"configMaps":{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}},"enabled":false}` | dashboards contains configuration for grafana dashboards. | +| grafana.dashboards.configMaps | object | `{"falco":{"folder":"","name":"falco-grafana-dashboard","namespace":""}}` | configmaps to be deployed that contain a grafana dashboard. | +| grafana.dashboards.configMaps.falco | object | `{"folder":"","name":"falco-grafana-dashboard","namespace":""}` | falco contains the configuration for falco's dashboard. | +| grafana.dashboards.configMaps.falco.folder | string | `""` | folder where the dashboard is stored by grafana. | +| grafana.dashboards.configMaps.falco.name | string | `"falco-grafana-dashboard"` | name specifies the name for the configmap. | +| grafana.dashboards.configMaps.falco.namespace | string | `""` | namespace specifies the namespace for the configmap. | +| grafana.dashboards.enabled | bool | `false` | enabled specifies whether the dashboards should be deployed. | | healthChecks | object | `{"livenessProbe":{"initialDelaySeconds":60,"periodSeconds":15,"timeoutSeconds":5},"readinessProbe":{"initialDelaySeconds":30,"periodSeconds":15,"timeoutSeconds":5}}` | Parameters used | | healthChecks.livenessProbe.initialDelaySeconds | int | `60` | Tells the kubelet that it should wait X seconds before performing the first probe. | | healthChecks.livenessProbe.periodSeconds | int | `15` | Specifies that the kubelet should perform the check every x seconds. | @@ -740,24 +749,26 @@ The following table lists the main configurable parameters of the falco chart v4 | image.repository | string | `"falcosecurity/falco-no-driver"` | The image repository to pull from | | image.tag | string | `""` | The image tag to pull. Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | Secrets containing credentials when pulling from private/secure registries. | -| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | +| metrics | object | `{"convertMemoryToMB":true,"enabled":false,"includeEmptyValues":false,"interval":"1h","kernelEventCountersEnabled":true,"kernelEventCountersPerCPUEnabled":false,"libbpfStatsEnabled":true,"outputRule":false,"resourceUtilizationEnabled":true,"rulesCountersEnabled":true,"service":{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"},"stateCountersEnabled":true}` | metrics configures Falco to enable and expose the metrics. | | metrics.convertMemoryToMB | bool | `true` | convertMemoryToMB specifies whether the memory should be converted to mb. | | metrics.enabled | bool | `false` | enabled specifies whether the metrics should be enabled. | | metrics.includeEmptyValues | bool | `false` | includeEmptyValues specifies whether the empty values should be included in the metrics. | | metrics.interval | string | `"1h"` | interval is stats interval in Falco follows the time duration definitions used by Prometheus. https://prometheus.io/docs/prometheus/latest/querying/basics/#time-durations Time durations are specified as a number, followed immediately by one of the following units: ms - millisecond s - second m - minute h - hour d - day - assuming a day has always 24h w - week - assuming a week has always 7d y - year - assuming a year has always 365d Example of a valid time duration: 1h30m20s10ms A minimum interval of 100ms is enforced for metric collection. However, for production environments, we recommend selecting one of the following intervals for optimal monitoring: 15m 30m 1h 4h 6h | +| metrics.kernelEventCountersPerCPUEnabled | bool | `false` | kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled. | | metrics.libbpfStatsEnabled | bool | `true` | libbpfStatsEnabled exposes statistics similar to `bpftool prog show`, providing information such as the number of invocations of each BPF program attached by Falco and the time spent in each program measured in nanoseconds. To enable this feature, the kernel must be >= 5.1, and the kernel configuration `/proc/sys/kernel/bpf_stats_enabled` must be set. This option, or an equivalent statistics feature, is not available for non `*bpf*` drivers. Additionally, please be aware that the current implementation of `libbpf` does not support granularity of statistics at the bpf tail call level. | | metrics.outputRule | bool | `false` | outputRule enables seamless metrics and performance monitoring, we recommend emitting metrics as the rule "Falco internal: metrics snapshot". This option is particularly useful when Falco logs are preserved in a data lake. Please note that to use this option, the Falco rules config `priority` must be set to `info` at a minimum. | | metrics.resourceUtilizationEnabled | bool | `true` | resourceUtilizationEnabled`: Emit CPU and memory usage metrics. CPU usage is reported as a percentage of one CPU and can be normalized to the total number of CPUs to determine overall usage. Memory metrics are provided in raw units (`kb` for `RSS`, `PSS` and `VSZ` or `bytes` for `container_memory_used`) and can be uniformly converted to megabytes (MB) using the `convert_memory_to_mb` functionality. In environments such as Kubernetes when deployed as daemonset, it is crucial to track Falco's container memory usage. To customize the path of the memory metric file, you can create an environment variable named `FALCO_CGROUP_MEM_PATH` and set it to the desired file path. By default, Falco uses the file `/sys/fs/cgroup/memory/memory.usage_in_bytes` to monitor container memory usage, which aligns with Kubernetes' `container_memory_working_set_bytes` metric. Finally, we emit the overall host CPU and memory usages, along with the total number of processes and open file descriptors (fds) on the host, obtained from the proc file system unrelated to Falco's monitoring. These metrics help assess Falco's usage in relation to the server's workload intensity. | | metrics.rulesCountersEnabled | bool | `true` | rulesCountersEnabled specifies whether the counts for each rule should be emitted. | -| metrics.service | object | `{"create":true,"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service | object | `{"annotations":{},"create":true,"labels":{},"ports":{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}},"type":"ClusterIP"}` | service exposes the metrics service to be accessed from within the cluster. ref: https://kubernetes.io/docs/concepts/services-networking/service/ | +| metrics.service.annotations | object | `{}` | annotations to add to the service. | | metrics.service.create | bool | `true` | create specifies whether a service should be created. | +| metrics.service.labels | object | `{}` | labels to add to the service. | | metrics.service.ports | object | `{"metrics":{"port":8765,"protocol":"TCP","targetPort":8765}}` | ports denotes all the ports on which the Service will listen. | | metrics.service.ports.metrics | object | `{"port":8765,"protocol":"TCP","targetPort":8765}` | metrics denotes a listening service named "metrics". | | metrics.service.ports.metrics.port | int | `8765` | port is the port on which the Service will listen. | | metrics.service.ports.metrics.protocol | string | `"TCP"` | protocol specifies the network protocol that the Service should use for the associated port. | | metrics.service.ports.metrics.targetPort | int | `8765` | targetPort is the port on which the Pod is listening. | | metrics.service.type | string | `"ClusterIP"` | type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible from within the cluster. | -| mounts.enforceProcMount | bool | `false` | By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). | | mounts.volumeMounts | list | `[]` | A list of volumes you want to add to the Falco pods. | | mounts.volumes | list | `[]` | A list of volumes you want to add to the Falco pods. | | nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco components. | diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/CHANGELOG.md b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/CHANGELOG.md index d7b85f5fe..463da0772 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/CHANGELOG.md +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/CHANGELOG.md @@ -5,6 +5,30 @@ numbering uses [semantic versioning](http://semver.org). Before release 0.1.20, the helm chart can be found in `falcosidekick` [repository](https://github.com/falcosecurity/falcosidekick/tree/master/deploy/helm/falcosidekick). +## 0.9.1 + +- Ugrade to Falcosidekick 2.30.0 + +## 0.8.9 + +- Fix customConfig mount path for webui redis + +## 0.8.8 + +- Fix customConfig template for webui redis + +## 0.8.7 + +- Fix securityContext for webui initContainer + +## 0.8.6 + +- Use of `redis-cli` by the initContainer of Falcosidekick-UI to wait til the redis is up and running +- Add the possibility to override the default redis server settings +- Allow to set up a password to use with an external redis +- Fix wrong value used for `OTLP_TRACES_PROTOCOL` env var +- Used names for the priorities in the prometheus rules + ## 0.8.5 - Fix an issue with the by default missing custom CA cert diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/Chart.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/Chart.yaml index b059fb03e..3aace6852 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/Chart.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -appVersion: 2.29.0 +appVersion: 2.30.0 description: Connect Falco to your ecosystem home: https://github.com/falcosecurity/falcosidekick icon: https://raw.githubusercontent.com/falcosecurity/falcosidekick/master/imgs/falcosidekick_color.png @@ -13,4 +13,4 @@ maintainers: name: falcosidekick sources: - https://github.com/falcosecurity/falcosidekick -version: 0.8.5 +version: 0.9.1 diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/README.md b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/README.md index 598d140c2..44a06de51 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/README.md +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/README.md @@ -181,7 +181,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.alertmanager.expireafter | string | `""` | if set to a non-zero value, alert expires after that time in seconds (default: 0) | | config.alertmanager.extraannotations | string | `""` | comma separated list of annotations composed of a ':' separated name and value that is added to the Alerts. Example: my_annotation_1:my_value_1, my_annotation_1:my_value_2 | | config.alertmanager.extralabels | string | `""` | comma separated list of labels composed of a ':' separated name and value that is added to the Alerts. Example: my_label_1:my_value_1, my_label_1:my_value_2 | -| config.alertmanager.hostport | string | `""` | AlertManager , if not `empty`, AlertManager is *enabled* | +| config.alertmanager.hostport | string | `""` | Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled | | config.alertmanager.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.alertmanager.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.aws.accesskeyid | string | `""` | AWS Access Key Id (optionnal if you use EC2 Instance Profile) | @@ -236,6 +236,10 @@ The following table lists the main configurable parameters of the Falcosidekick | config.datadog.apikey | string | `""` | Datadog API Key, if not `empty`, Datadog output is *enabled* | | config.datadog.host | string | `""` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" | | config.datadog.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.datadoglogs.apikey | string | `""` | Datadog API Key, if not empty, Datadog Logs output is enabled | +| config.datadoglogs.host | string | `""` | Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/" | +| config.datadoglogs.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) | +| config.datadoglogs.service | string | `""` | The name of the application or service generating the log events. | | config.debug | bool | `false` | DEBUG environment variable | | config.discord.icon | string | `""` | Discord icon (avatar) | | config.discord.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | @@ -247,20 +251,28 @@ The following table lists the main configurable parameters of the Falcosidekick | config.dynatrace.apiurl | string | `""` | Dynatrace API url, use https://ENVIRONMENTID.live.dynatrace.com/api for Dynatrace SaaS and https://YOURDOMAIN/e/ENVIRONMENTID/api for Dynatrace Managed, more info : https://dt-url.net/ej43qge | | config.dynatrace.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.dynatrace.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | +| config.elasticsearch.apikey | string | `""` | Use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "") | +| config.elasticsearch.batching | object | `{"batchsize":"5242880","enabled":true,"flushinterval":"1s"}` | batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API | +| config.elasticsearch.batching.batchsize | string | `"5242880"` | batch size in bytes (default: 5 MB) (use string to avoid the conversion into float64 by helm) | +| config.elasticsearch.batching.enabled | bool | `true` | if true enables batching | +| config.elasticsearch.batching.flushinterval | string | `"1s"` | batch fush interval (default: 1s) | | config.elasticsearch.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.elasticsearch.createindextemplate | bool | `false` | Create an index template (default: false) | | config.elasticsearch.customheaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value,key:value" | +| config.elasticsearch.enablecompression | bool | `false` | if true enables gzip compression for http requests (default: false) | | config.elasticsearch.flattenfields | bool | `false` | Replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false) | | config.elasticsearch.hostport | string | `""` | Elasticsearch , if not `empty`, Elasticsearch is *enabled* | | config.elasticsearch.index | string | `"falco"` | Elasticsearch index | +| config.elasticsearch.maxconcurrentrequests | int | `1` | max number of concurrent http requests (default: 1) | | config.elasticsearch.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.elasticsearch.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.elasticsearch.numberofreplicas | int | `3` | Number of replicas set by the index template (default: 3) | | config.elasticsearch.numberofshards | int | `3` | Number of shards set by the index template (default: 3) | -| config.elasticsearch.password | string | `""` | use this password to authenticate to Elasticsearch if the password is not empty | -| config.elasticsearch.suffix | string | `"daily"` | | +| config.elasticsearch.password | string | `""` | Use this password to authenticate to Elasticsearch if the password is not empty | +| config.elasticsearch.pipeline | string | `""` | Optional ingest pipeline name | +| config.elasticsearch.suffix | string | `"daily"` | Date suffix for index rotation : daily, monthly, annually, none | | config.elasticsearch.type | string | `"_doc"` | Elasticsearch document type | -| config.elasticsearch.username | string | `""` | use this username to authenticate to Elasticsearch if the username is not empty | +| config.elasticsearch.username | string | `""` | Use this username to authenticate to Elasticsearch if the username is not empty | | config.existingSecret | string | `""` | Existing secret with configuration | | config.extraArgs | list | `[]` | Extra command-line arguments | | config.extraEnv | list | `[]` | Extra environment variables | @@ -411,6 +423,14 @@ The following table lists the main configurable parameters of the Falcosidekick | config.opsgenie.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.opsgenie.mutualtls | bool | `false` | if true, checkcert flag will be ignored (server cert will always be checked) | | config.opsgenie.region | `us` or `eu` | `""` | region of your domain | +| config.otlp.metrics.checkcert | bool | `true` | Set to false if you want to skip TLS certificate validation (only with https) (default: true) | +| config.otlp.metrics.endpoint | string | `""` | OTLP endpoint, typically in the form http{s}://{domain or ip}:4318/v1/metrics | +| config.otlp.metrics.extraattributes | string | `""` | Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields | +| config.otlp.metrics.extraenvvars | list | `[]` | Extra env vars (override the other settings) (default: "") | +| config.otlp.metrics.headers | string | `""` | List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "") | +| config.otlp.metrics.minimumpriority | string | `""` | Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "") | +| config.otlp.metrics.protocol | string | `"grpc"` | OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc") | +| config.otlp.metrics.timeout | int | `1000` | OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000) | | config.otlp.traces.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.otlp.traces.duration | int | `1000` | Artificial span duration in milliseconds (default: 1000) | | config.otlp.traces.endpoint | string | `""` | OTLP endpoint in the form of http://{domain or ip}:4318/v1/traces, if not empty, OTLP Traces output is enabled | @@ -419,7 +439,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.otlp.traces.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | | config.otlp.traces.protocol | string | `""` | OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json) | | config.otlp.traces.synced | bool | `false` | Set to true if you want traces to be sent synchronously (default: false) | -| config.otlp.traces.timeout | string | `""` | OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) | +| config.otlp.traces.timeout | int | `1000` | OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) | | config.outputFieldFormat | string | `""` | | | config.pagerduty.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.pagerduty.region | string | `"us"` | Pagerduty Region, can be 'us' or 'eu' | @@ -513,6 +533,7 @@ The following table lists the main configurable parameters of the Falcosidekick | config.tekton.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | | config.telegram.chatid | string | `""` | telegram Identifier of the shared chat | | config.telegram.checkcert | bool | `true` | check if ssl certificate of the output is valid | +| config.telegram.messagethreadid | string | `""` | Telegram individual chats within the group | | config.telegram.minimumpriority | string | `""` | minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" | | config.telegram.token | string | `""` | telegram bot authentication token | | config.templatedfields | string | `""` | a list of escaped comma separated Go templated fields to add to falco events, syntax is "key:template\,key:template" | @@ -543,6 +564,8 @@ The following table lists the main configurable parameters of the Falcosidekick | config.wavefront.flushintervalseconds | int | `1` | Wavefront flush interval in seconds. Defaults to 1 | | config.wavefront.metricname | string | `"falco.alert"` | Metric to be created in Wavefront. Defaults to falco.alert | | config.wavefront.minimumpriority | string | `"debug"` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webex.minimumpriority | string | `""` | minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` | +| config.webex.webhookurl | string | `""` | Webex WebhookURL, if not empty, Webex output is enabled | | config.webhook.address | string | `""` | Webhook address, if not empty, Webhook output is *enabled* | | config.webhook.checkcert | bool | `true` | check if ssl certificate of the output is valid | | config.webhook.customHeaders | string | `""` | a list of comma separated custom headers to add, syntax is "key:value\,key:value" | @@ -570,11 +593,11 @@ The following table lists the main configurable parameters of the Falcosidekick | extraVolumeMounts | list | `[]` | Extra volume mounts for sidekick deployment | | extraVolumes | list | `[]` | Extra volumes for sidekick deployment | | fullnameOverride | string | `""` | Override the name | -| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.29.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 | +| image | object | `{"pullPolicy":"IfNotPresent","registry":"docker.io","repository":"falcosecurity/falcosidekick","tag":"2.30.0"}` | number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10) revisionHistoryLimit: 1 | | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy | | image.registry | string | `"docker.io"` | The image registry to pull from | | image.repository | string | `"falcosecurity/falcosidekick"` | The image repository to pull from | -| image.tag | string | `"2.29.0"` | The image tag to pull | +| image.tag | string | `"2.30.0"` | The image tag to pull | | imagePullSecrets | list | `[]` | Secrets for the registry | | ingress.annotations | object | `{}` | Ingress annotations | | ingress.enabled | bool | `false` | Whether to create the ingress | @@ -630,6 +653,7 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.enabled | bool | `false` | enable Falcosidekick-UI | | webui.existingSecret | string | `""` | Existing secret with configuration | | webui.externalRedis.enabled | bool | `false` | Enable or disable the usage of an external Redis. Is mutually exclusive with webui.redis.enabled. | +| webui.externalRedis.password | string | `""` | Set the password of the external Redis | | webui.externalRedis.port | int | `6379` | The port of the external Redis database with RediSearch > v2 | | webui.externalRedis.url | string | `""` | The URL of the external Redis database with RediSearch > v2 | | webui.image.pullPolicy | string | `"IfNotPresent"` | The web UI image pull policy | @@ -641,10 +665,10 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.ingress.hosts | list | `[{"host":"falcosidekick-ui.local","paths":[{"path":"/"}]}]` | Web UI ingress hosts configuration | | webui.ingress.ingressClassName | string | `""` | ingress class name | | webui.ingress.tls | list | `[]` | Web UI ingress TLS configuration | -| webui.initContainer | object | `{"image":{"registry":"docker.io","repository":"busybox","tag":1.31},"resources":{},"securityContext":{}}` | Web UI wait-redis initContainer | +| webui.initContainer | object | `{"image":{"registry":"docker.io","repository":"redis/redis-stack","tag":"7.2.0-v11"},"resources":{},"securityContext":{}}` | Web UI wait-redis initContainer | | webui.initContainer.image.registry | string | `"docker.io"` | wait-redis initContainer image registry to pull from | -| webui.initContainer.image.repository | string | `"busybox"` | wait-redis initContainer image repository to pull from | -| webui.initContainer.image.tag | float | `1.31` | wait-redis initContainer image tag to pull | +| webui.initContainer.image.repository | string | `"redis/redis-stack"` | wait-redis initContainer image repository to pull from | +| webui.initContainer.image.tag | string | `"7.2.0-v11"` | wait-redis initContainer image tag to pull | | webui.initContainer.resources | object | `{}` | wait-redis initContainer resources | | webui.initContainer.securityContext | object | `{}` | wait-redis initContainer securityContext | | webui.loglevel | string | `"info"` | Log level ("debug", "info", "warning", "error") | @@ -655,6 +679,7 @@ The following table lists the main configurable parameters of the Falcosidekick | webui.priorityClassName | string | `""` | Name of the priority class to be used by the Web UI pods, priority class needs to be created beforehand | | webui.redis.affinity | object | `{}` | Affinity for the Web UI Redis pods | | webui.redis.customAnnotations | object | `{}` | custom annotations to add to all resources | +| webui.redis.customConfig | object | `{}` | List of Custom config overrides for Redis | | webui.redis.customLabels | object | `{}` | custom labels to add to all resources | | webui.redis.enabled | bool | `true` | Is mutually exclusive with webui.externalRedis.enabled | | webui.redis.existingSecret | string | `""` | Existing secret with configuration | diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/configmap-ui.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/configmap-ui.yaml new file mode 100644 index 000000000..72d84840b --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/configmap-ui.yaml @@ -0,0 +1,46 @@ +{{- if and (.Values.webui.enabled) (.Values.webui.redis.enabled) -}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + namespace: {{ .Release.Namespace }} + labels: + {{- include "falcosidekick.labels" . | nindent 4 }} + app.kubernetes.io/component: ui-redis +data: + {{- if .Values.webui.redis.customConfig }} + redis-stack.conf: |- + {{ range .Values.webui.redis.customConfig }} + {{- . }} + {{ end -}} + {{- end }} + ping-redis.sh: |- + #!/bin/bash + for i in {1..10}; + do + response=$( + timeout -s 3 30 \ + redis-cli \ + {{- if .Values.webui.redis.enabled }} + -h {{ include "falcosidekick.fullname" . }}-ui-redis -p 6379 \ + {{- if .Values.webui.redis.password }} + -a ${REDIS_PASSWORD} \ + {{- end }} + {{- end }} + {{- if .Values.webui.externalRedis.enabled }} + -h {{ .Values.webui.externalRedis.url }} \ + -p {{ .Values.webui.externalRedis.port }} \ + {{- if .Values.webui.externalRedis.password }} + -a ${REDIS_PASSWORD} \ + {{- end }} + {{- end }} + ping + ) + if [ "$response" = "PONG" ]; then + exit 0 + fi + sleep 3 + done + exit 1 +{{- end }} diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/deployment-ui.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/deployment-ui.yaml index 705e823c4..2ffccbc2f 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/deployment-ui.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/deployment-ui.yaml @@ -59,11 +59,10 @@ spec: initContainers: - name: wait-redis image: "{{ .Values.webui.initContainer.image.registry }}/{{ .Values.webui.initContainer.image.repository }}:{{ .Values.webui.initContainer.image.tag }}" - {{- if .Values.webui.redis.enabled }} - command: ['sh', '-c', 'echo -e "Checking for the availability of the Redis Server"; while ! nc -z {{ include "falcosidekick.fullname" . }}-ui-redis 6379; do sleep 1; done; echo -e "Redis Server has started";'] - {{- else if .Values.webui.externalRedis.enabled }} - command: ['sh', '-c', 'echo -e "Checking for the availability of the Redis Server"; while ! nc -z {{ required "External Redis is enabled. Please set the URL to the database." .Values.webui.externalRedis.url }} {{ .Values.webui.externalRedis.port | default "6379" }}; do sleep 1; done; echo -e "Redis Server has started";'] - {{- end}} + command: + - sh + - -c + - /scripts/ping-redis.sh {{- if .Values.webui.initContainer.resources }} resources: {{- toYaml .Values.webui.initContainer.resources | nindent 12 }} @@ -72,6 +71,17 @@ spec: securityContext: {{- toYaml .Values.webui.initContainer.securityContext | nindent 12}} {{- end }} + volumeMounts: + - name: scripts + mountPath: /scripts/ping-redis.sh + subPath: ping-redis.sh + envFrom: + - secretRef: + name: {{ include "falcosidekick.fullname" . }}-ui + {{- if .Values.webui.existingSecret }} + - secretRef: + name: {{ .Values.webui.existingSecret }} + {{- end }} containers: - name: {{ .Chart.Name }}-ui image: "{{ .Values.webui.image.registry }}/{{ .Values.webui.image.repository }}:{{ .Values.webui.image.tag }}" @@ -138,6 +148,14 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumes: + - name: scripts + configMap: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + defaultMode: 0555 + items: + - key: ping-redis.sh + path: ping-redis.sh {{- if .Values.webui.redis.enabled }} --- apiVersion: apps/v1 @@ -220,11 +238,18 @@ spec: securityContext: {{- toYaml .Values.webui.redis.securityContext | nindent 12 }} {{- end }} - {{- if .Values.webui.redis.storageEnabled }} + {{- if or (.Values.webui.redis.storageEnabled) (.Values.webui.redis.customConfig) }} volumeMounts: + {{- if .Values.webui.redis.storageEnabled }} - name: {{ include "falcosidekick.fullname" . }}-ui-redis-data mountPath: /data {{- end }} + {{- if .Values.webui.redis.customConfig }} + - name: config + mountPath: /redis-stack.conf + subPath: redis-stack.conf + {{- end }} + {{- end }} resources: {{- toYaml .Values.webui.redis.resources | nindent 12 }} {{- with .Values.webui.redis.nodeSelector }} @@ -239,6 +264,16 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + {{ if .Values.webui.redis.customConfig }} + volumes: + - name: config + configMap: + name: {{ include "falcosidekick.fullname" . }}-ui-redis + defaultMode: 0444 + items: + - key: redis-stack.conf + path: redis-stack.conf + {{ end }} {{- if .Values.webui.redis.storageEnabled }} volumeClaimTemplates: - metadata: diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/prometheusrule.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/prometheusrule.yaml index 6afe287ad..2862102ac 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/prometheusrule.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/prometheusrule.yaml @@ -38,7 +38,7 @@ spec: annotations: summary: Falco is experiencing high rate of warning events description: A high rate of warning events are being detected by Falco - expr: rate(falco_events{priority="4"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} + expr: rate(falco_events{priority="Warning"}[{{ .Values.prometheusRules.alerts.warning.rate_interval }}]) > {{ .Values.prometheusRules.alerts.warning.threshold }} for: 15m labels: severity: warning @@ -48,7 +48,7 @@ spec: annotations: summary: Falco is experiencing high rate of error events description: A high rate of error events are being detected by Falco - expr: rate(falco_events{priority="3"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} + expr: rate(falco_events{priority="Error"}[{{ .Values.prometheusRules.alerts.error.rate_interval }}]) > {{ .Values.prometheusRules.alerts.error.threshold }} for: 15m labels: severity: warning @@ -58,7 +58,7 @@ spec: annotations: summary: Falco is experiencing high rate of critical events description: A high rate of critical events are being detected by Falco - expr: rate(falco_events{priority="2"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} + expr: rate(falco_events{priority="Critical"}[{{ .Values.prometheusRules.alerts.critical.rate_interval }}]) > {{ .Values.prometheusRules.alerts.critical.threshold }} for: 15m labels: severity: critical @@ -68,7 +68,7 @@ spec: annotations: summary: Falco is experiencing high rate of alert events description: A high rate of alert events are being detected by Falco - expr: rate(falco_events{priority="1"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} + expr: rate(falco_events{priority="Alert"}[{{ .Values.prometheusRules.alerts.alert.rate_interval }}]) > {{ .Values.prometheusRules.alerts.alert.threshold }} for: 5m labels: severity: critical @@ -78,7 +78,7 @@ spec: annotations: summary: Falco is experiencing high rate of emergency events description: A high rate of emergency events are being detected by Falco - expr: rate(falco_events{priority="0"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} + expr: rate(falco_events{priority="Emergency"}[{{ .Values.prometheusRules.alerts.emergency.rate_interval }}]) > {{ .Values.prometheusRules.alerts.emergency.threshold }} for: 1m labels: severity: critical diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets-ui.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets-ui.yaml index 49a7bf87d..f201e4115 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets-ui.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets-ui.yaml @@ -42,8 +42,12 @@ metadata: {{- end }} type: Opaque data: - {{- if .Values.webui.redis.password }} + {{- if and .Values.webui.redis.enabled .Values.webui.redis.password }} REDIS_ARGS: "{{ printf "--requirepass %s" .Values.webui.redis.password | b64enc}}" + REDIS_PASSWORD: "{{ .Values.webui.redis.password | b64enc }}" + {{- end }} + {{- if and .Values.webui.externalRedis.password .Values.webui.externalRedis.password }} + REDIS_PASSWORD: "{{ .Values.webui.externalRedis.password| b64enc }}" {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets.yaml index 13c211f75..b82d1f322 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/secrets.yaml @@ -54,11 +54,17 @@ data: TEAMS_ACTIVITYIMAGE: "{{ .Values.config.teams.activityimage | b64enc }}" TEAMS_MINIMUMPRIORITY: "{{ .Values.config.teams.minimumpriority | b64enc }}" - # Datadog Output + # Datadog (Events) Output DATADOG_APIKEY: "{{ .Values.config.datadog.apikey | b64enc }}" DATADOG_HOST: "{{ .Values.config.datadog.host | b64enc }}" DATADOG_MINIMUMPRIORITY: "{{ .Values.config.datadog.minimumpriority | b64enc }}" + # Datadog Logs Output + DATADOGLOGS_APIKEY: "{{ .Values.config.datadoglogs.apikey | b64enc }}" + DATADOGLOGS_HOST: "{{ .Values.config.datadoglogs.host | b64enc }}" + DATADOGLOGS_SERVICE: "{{ .Values.config.datadoglogs.service | b64enc }}" + DATADOGLOGS_MINIMUMPRIORITY: "{{ .Values.config.datadoglogs.minimumpriority | b64enc }}" + # AlertManager Output ALERTMANAGER_HOSTPORT: "{{ .Values.config.alertmanager.hostport | b64enc }}" ALERTMANAGER_ENDPOINT: "{{ .Values.config.alertmanager.endpoint | b64enc }}" @@ -179,17 +185,24 @@ data: ELASTICSEARCH_HOSTPORT: "{{ .Values.config.elasticsearch.hostport | b64enc }}" ELASTICSEARCH_INDEX: "{{ .Values.config.elasticsearch.index | b64enc }}" ELASTICSEARCH_TYPE: "{{ .Values.config.elasticsearch.type | b64enc }}" + ELASTICSEARCH_PIPELINE: "{{ .Values.config.elasticsearch.pipeline | b64enc }}" ELASTICSEARCH_SUFFIX: "{{ .Values.config.elasticsearch.suffix | b64enc }}" - ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" - ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" - ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_APIKEY: "{{ .Values.config.elasticsearch.apikey | b64enc }}" ELASTICSEARCH_USERNAME: "{{ .Values.config.elasticsearch.username | b64enc }}" ELASTICSEARCH_PASSWORD: "{{ .Values.config.elasticsearch.password | b64enc }}" ELASTICSEARCH_FLATTENFIELDS: "{{ .Values.config.elasticsearch.flattenfields | printf "%t" | b64enc }}" ELASTICSEARCH_CREATEINDEXTEMPLATE: "{{ .Values.config.elasticsearch.createindextemplate | printf "%t" | b64enc }}" + ELASTICSEARCH_ENABLECOMPRESSION: "{{ .Values.config.elasticsearch.enablecompression | printf "%t" | b64enc }}" + ELASTICSEARCH_MAXCONCURRENTREQUESTS: "{{ .Values.config.elasticsearch.maxconcurrentrequests | toString | b64enc }}" + ELASTICSEARCH_BATCHING_ENABLED: "{{ .Values.config.elasticsearch.batching.enabled | printf "%t" | b64enc }}" + ELASTICSEARCH_BATCHING_BATCHSIZE: "{{ .Values.config.elasticsearch.batching.batchsize | b64enc }}" + ELASTICSEARCH_BATCHING_FLUSHINTERVAL: "{{ .Values.config.elasticsearch.batching.flushinterval | b64enc }}" ELASTICSEARCH_NUMBEROFSHARDS: "{{ .Values.config.elasticsearch.numberofshards | toString | b64enc }}" ELASTICSEARCH_NUMBEROFREPLICAS: "{{ .Values.config.elasticsearch.numberofreplicas | toString | b64enc }}" ELASTICSEARCH_CUSTOMHEADERS: "{{ .Values.config.elasticsearch.customheaders | b64enc }}" + ELASTICSEARCH_MUTUALTLS: "{{ .Values.config.elasticsearch.mutualtls | printf "%t" | b64enc }}" + ELASTICSEARCH_CHECKCERT: "{{ .Values.config.elasticsearch.checkcert | printf "%t" | b64enc }}" + ELASTICSEARCH_MINIMUMPRIORITY: "{{ .Values.config.elasticsearch.minimumpriority | b64enc }}" # Loki Output LOKI_HOSTPORT: "{{ .Values.config.loki.hostport | b64enc }}" @@ -220,11 +233,11 @@ data: STAN_MUTUALTLS: "{{ .Values.config.stan.mutualtls | printf "%t" | b64enc }}" STAN_CHECKCERT: "{{ .Values.config.stan.checkcert | printf "%t" | b64enc }}" - # Statsd + # Statsd Output STATSD_FORWARDER: "{{ .Values.config.statsd.forwarder | b64enc }}" STATSD_NAMESPACE: "{{ .Values.config.statsd.namespace | b64enc }}" - # Dogstatsd + # Dogstatsd Output DOGSTATSD_FORWARDER: "{{ .Values.config.dogstatsd.forwarder | b64enc }}" DOGSTATSD_NAMESPACE: "{{ .Values.config.dogstatsd.namespace | b64enc }}" DOGSTATSD_TAGS: "{{ .Values.config.dogstatsd.tags | b64enc }}" @@ -270,7 +283,7 @@ data: KUBELESS_MUTUALTLS: "{{ .Values.config.kubeless.mutualtls | printf "%t" | b64enc }}" KUBELESS_CHECKCERT: "{{ .Values.config.kubeless.checkcert | printf "%t" | b64enc }}" - # OpenFaaS + # OpenFaaS Output OPENFAAS_GATEWAYNAMESPACE: "{{ .Values.config.openfaas.gatewaynamespace | b64enc }}" OPENFAAS_GATEWAYSERVICE: "{{ .Values.config.openfaas.gatewayservice | b64enc }}" OPENFAAS_FUNCTIONNAME: "{{ .Values.config.openfaas.functionname | b64enc }}" @@ -346,14 +359,14 @@ data: KAFKAREST_MUTUALTLS: "{{ .Values.config.kafkarest.mutualtls | printf "%t" | b64enc}}" KAFKAREST_CHECKCERT: "{{ .Values.config.kafkarest.checkcert | printf "%t" | b64enc}}" - # Syslog + # Syslog Output SYSLOG_HOST: "{{ .Values.config.syslog.host | b64enc}}" SYSLOG_PORT: "{{ .Values.config.syslog.port | toString | b64enc}}" SYSLOG_PROTOCOL: "{{ .Values.config.syslog.protocol | b64enc}}" SYSLOG_FORMAT: "{{ .Values.config.syslog.format | b64enc}}" SYSLOG_MINIMUMPRIORITY: "{{ .Values.config.syslog.minimumpriority | b64enc}}" - # Zoho Cliq + # Zoho Cliq Output CLIQ_WEBHOOKURL: "{{ .Values.config.cliq.webhookurl | b64enc}}" CLIQ_ICON: "{{ .Values.config.cliq.icon | b64enc}}" CLIQ_USEEMOJI: "{{ .Values.config.cliq.useemoji | printf "%t" | b64enc}}" @@ -361,14 +374,14 @@ data: CLIQ_MESSAGEFORMAT: "{{ .Values.config.cliq.messageformat | b64enc}}" CLIQ_MINIMUMPRIORITY: "{{ .Values.config.cliq.minimumpriority | b64enc}}" - # Policy Reporter + # Policy Reporter Output POLICYREPORT_ENABLED: "{{ .Values.config.policyreport.enabled | printf "%t"| b64enc}}" POLICYREPORT_KUBECONFIG: "{{ .Values.config.policyreport.kubeconfig | b64enc}}" POLICYREPORT_MAXEVENTS: "{{ .Values.config.policyreport.maxevents | toString | b64enc}}" POLICYREPORT_PRUNEBYPRIORITY: "{{ .Values.config.policyreport.prunebypriority | printf "%t" | b64enc}}" POLICYREPORT_MINIMUMPRIORITY: "{{ .Values.config.policyreport.minimumpriority | b64enc}}" - # Node Red + # Node Red Output NODERED_ADDRESS: "{{ .Values.config.nodered.address | b64enc}}" NODERED_USER: "{{ .Values.config.nodered.user | b64enc}}" NODERED_PASSWORD: "{{ .Values.config.nodered.password | b64enc}}" @@ -376,7 +389,7 @@ data: NODERED_CHECKCERT: "{{ .Values.config.nodered.checkcert | printf "%t" | b64enc}}" NODERED_MINIMUMPRIORITY: "{{ .Values.config.nodered.minimumpriority | b64enc}}" - # MQTT + # MQTT Output MQTT_BROKER: "{{ .Values.config.mqtt.broker | b64enc}}" MQTT_TOPIC: "{{ .Values.config.mqtt.topic | b64enc}}" MQTT_QOS: "{{ .Values.config.mqtt.qos | toString | b64enc}}" @@ -386,7 +399,7 @@ data: MQTT_CHECKCERT: "{{ .Values.config.mqtt.checkcert | printf "%t" | b64enc}}" MQTT_MINIMUMPRIORITY: "{{ .Values.config.mqtt.minimumpriority | b64enc}}" - # Zincsearch + # Zincsearch Output ZINCSEARCH_HOSTPORT: "{{ .Values.config.zincsearch.hostport | b64enc}}" ZINCSEARCH_INDEX: "{{ .Values.config.zincsearch.index | b64enc}}" ZINCSEARCH_USERNAME: "{{ .Values.config.zincsearch.username | b64enc}}" @@ -394,19 +407,19 @@ data: ZINCSEARCH_CHECKCERT: "{{ .Values.config.zincsearch.checkcert | printf "%t" | b64enc}}" ZINCSEARCH_MINIMUMPRIORITY: "{{ .Values.config.zincsearch.minimumpriority | b64enc}}" - # Gotify + # Gotify Output GOTIFY_HOSTPORT: "{{ .Values.config.gotify.hostport | b64enc}}" GOTIFY_TOKEN: "{{ .Values.config.gotify.token | b64enc}}" GOTIFY_FORMAT: "{{ .Values.config.gotify.format | b64enc}}" GOTIFY_CHECKCERT: "{{ .Values.config.gotify.checkcert | printf "%t" | b64enc}}" GOTIFY_MINIMUMPRIORITY: "{{ .Values.config.gotify.minimumpriority | b64enc}}" - # Tekton + # Tekton Output TEKTON_EVENTLISTENER: "{{ .Values.config.tekton.eventlistener | b64enc}}" TEKTON_CHECKCERT: "{{ .Values.config.tekton.checkcert | printf "%t" | b64enc}}" TEKTON_MINIMUMPRIORITY: "{{ .Values.config.tekton.minimumpriority | b64enc}}" - # Spyderbat + # Spyderbat Output SPYDERBAT_ORGUID: "{{ .Values.config.spyderbat.orguid | b64enc}}" SPYDERBAT_APIKEY: "{{ .Values.config.spyderbat.apikey | b64enc}}" SPYDERBAT_APIURL: "{{ .Values.config.spyderbat.apiurl | b64enc}}" @@ -414,7 +427,7 @@ data: SPYDERBAT_SOURCEDESCRIPTION: "{{ .Values.config.spyderbat.sourcedescription | b64enc}}" SPYDERBAT_MINIMUMPRIORITY: "{{ .Values.config.spyderbat.minimumpriority | b64enc}}" - # TimescaleDB + # TimescaleDB Output TIMESCALEDB_HOST: "{{ .Values.config.timescaledb.host | b64enc}}" TIMESCALEDB_PORT: "{{ .Values.config.timescaledb.port | toString | b64enc}}" TIMESCALEDB_USER: "{{ .Values.config.timescaledb.user | b64enc}}" @@ -434,6 +447,7 @@ data: # TELEGRAM Output TELEGRAM_TOKEN: "{{ .Values.config.telegram.token | b64enc}}" TELEGRAM_CHATID: "{{ .Values.config.telegram.chatid | b64enc}}" + TELEGRAM_MESSAGE_THREAD_ID: "{{ .Values.config.telegram.messagethreadid | b64enc}}" TELEGRAM_MINIMUMPRIORITY: "{{ .Values.config.telegram.minimumpriority | b64enc}}" TELEGRAM_CHECKCERT: "{{ .Values.config.telegram.checkcert | printf "%t" | b64enc}}" @@ -455,23 +469,34 @@ data: OPENOBSERVE_STREAMNAME: "{{ .Values.config.openobserve.streamname | b64enc}}" OPENOBSERVE_MINIMUMPRIORITY: "{{ .Values.config.openobserve.minimumpriority | b64enc}}" - # Dynatrace + # Dynatrace Output DYNATRACE_APITOKEN: "{{ .Values.config.dynatrace.apitoken | b64enc}}" DYNATRACE_APIURL: "{{ .Values.config.dynatrace.apiurl | b64enc}}" DYNATRACE_CHECKCERT: "{{ .Values.config.dynatrace.checkcert | printf "%t" | b64enc}}" DYNATRACE_MINIMUMPRIORITY: "{{ .Values.config.dynatrace.minimumpriority | b64enc}}" - # OTLP Traces + # OTLP Traces Output OTLP_TRACES_ENDPOINT: "{{ .Values.config.otlp.traces.endpoint | b64enc}}" - OTLP_TRACES_PROTOCOL: "{{ .Values.config.otlp.traces.endpoint | b64enc}}" + OTLP_TRACES_PROTOCOL: "{{ .Values.config.otlp.traces.protocol | b64enc}}" OTLP_TRACES_TIMEOUT: "{{ .Values.config.otlp.traces.timeout | toString | b64enc}}" OTLP_TRACES_HEADERS: "{{ .Values.config.otlp.traces.headers | b64enc}}" OTLP_TRACES_SYNCED: "{{ .Values.config.otlp.traces.synced | printf "%t" | b64enc}}" OTLP_TRACES_DURATION: "{{ .Values.config.otlp.traces.duration | toString | b64enc}}" OTLP_TRACES_CHECKCERT: "{{ .Values.config.otlp.traces.checkcert | printf "%t" | b64enc}}" OTLP_TRACES_MINIMUMPRIORITY: "{{ .Values.config.otlp.traces.minimumpriority | b64enc}}" + # OTLP Metrics Output + OTLP_METRICS_ENDPOINT: "{{ .Values.config.otlp.metrics.endpoint | b64enc}}" + OTLP_METRICS_PROTOCOL: "{{ .Values.config.otlp.metrics.protocol | b64enc}}" + OTLP_METRICS_TIMEOUT: "{{ .Values.config.otlp.metrics.timeout | toString | b64enc}}" + OTLP_METRICS_HEADERS: "{{ .Values.config.otlp.metrics.headers | b64enc}}" + OTLP_METRICS_EXTRAATTRIBUTES: "{{ .Values.config.otlp.metrics.extraattributes | b64enc}}" + {{- range $key, $value := .Values.config.otlp.metrics.extraenvvars }} + {{ $key }}: "{{ $value | b64enc }}" + {{- end }} + OTLP_METRICS_CHECKCERT: "{{ .Values.config.otlp.metrics.checkcert | printf "%t" | b64enc}}" + OTLP_METRICS_MINIMUMPRIORITY: "{{ .Values.config.otlp.metrics.minimumpriority | b64enc}}" - # Sumologic + # Sumologic Output SUMOLOGIC_RECEIVERURL: "{{ .Values.config.sumologic.receiverURL | b64enc}}" SUMOLOGIC_SOURCECATEGORY: "{{ .Values.config.sumologic.sourceCategory | b64enc}}" SUMOLOGIC_SOURCEHOST: "{{ .Values.config.sumologic.sourceHost | b64enc}}" @@ -479,7 +504,7 @@ data: SUMOLOGIC_CHECKCERT: "{{ .Values.config.sumologic.checkcert | printf "%t" | b64enc}}" SUMOLOGIC_MINIMUMPRIORITY: "{{ .Values.config.sumologic.minimumpriority | b64enc}}" - # Quickwit + # Quickwit Output QUICKWIT_HOSTPORT: "{{ .Values.config.quickwit.hostport | b64enc}}" QUICKWIT_APIENDPOINT: "{{ .Values.config.quickwit.apiendpoint | b64enc}}" QUICKWIT_INDEX: "{{ .Values.config.quickwit.index | b64enc}}" @@ -490,7 +515,11 @@ data: QUICKWIT_MUTUALTLS: "{{ .Values.config.quickwit.mutualtls | printf "%t" | b64enc}}" QUICKWIT_MINIMUMPRIORITY: "{{ .Values.config.quickwit.minimumpriority | b64enc}}" - # Talon + # Webex Output + WEBEX_WEBHOOKURL: "{{ .Values.config.webex.webhookurl | b64enc}}" + WEBEX_MINIMUMPRIORITY: "{{ .Values.config.webex.minimumpriority | b64enc}}" + + # Talon Output TALON_ADDRESS: "{{ .Values.config.talon.address | b64enc}}" TALON_CHECKCERT: "{{ .Values.config.talon.checkcert | printf "%t" | b64enc}}" TALON_MINIMUMPRIORITY: "{{ .Values.config.talon.minimumpriority | b64enc}}" diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/service-ui.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/service-ui.yaml index ad32cd69a..e7208f791 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/service-ui.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/templates/service-ui.yaml @@ -22,9 +22,9 @@ spec: type: {{ .Values.webui.service.type }} ports: - port: {{ .Values.webui.service.port }} - {{ if eq .Values.webui.service.type "NodePort" }} + {{- if eq .Values.webui.service.type "NodePort" }} nodePort: {{ .Values.webui.service.nodePort }} - {{ end }} + {{- end }} targetPort: {{ .Values.webui.service.targetPort }} protocol: TCP name: http diff --git a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/values.yaml b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/values.yaml index c148ee729..c76128454 100644 --- a/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/values.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/charts/falcosidekick/values.yaml @@ -14,7 +14,7 @@ image: # -- The image repository to pull from repository: falcosecurity/falcosidekick # -- The image tag to pull - tag: 2.29.0 + tag: 2.30.0 # -- The image pull policy pullPolicy: IfNotPresent @@ -240,13 +240,23 @@ config: datadog: # -- Datadog API Key, if not `empty`, Datadog output is *enabled* apikey: "" + # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" + host: "" # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "" - # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "" + + datadoglogs: + # -- Datadog API Key, if not empty, Datadog Logs output is enabled + apikey: "" + # -- Datadog host. Override if you are on the Datadog EU site. Defaults to american site with "https://http-intake.logs.datadoghq.com/" host: "" + # -- The name of the application or service generating the log events. + service: "" + # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default) + minimumpriority: "" alertmanager: - # -- AlertManager , if not `empty`, AlertManager is *enabled* + # -- Comma separated list of http://{domain or ip}:{port} that will all receive the payload, if not empty, Alertmanager output is enabled hostport: "" # -- alertmanager endpoint on which falcosidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"` endpoint: "/api/v1/alerts" @@ -276,11 +286,15 @@ config: index: "falco" # -- Elasticsearch document type type: "_doc" - # date suffix for index rotation : daily, monthly, annually, none + # -- Optional ingest pipeline name + pipeline: "" + # -- Date suffix for index rotation : daily, monthly, annually, none suffix: "daily" - # -- use this username to authenticate to Elasticsearch if the username is not empty + # -- Use this APIKey to authenticate to Elasticsearch if the APIKey is not empty (default: "") + apikey: "" + # -- Use this username to authenticate to Elasticsearch if the username is not empty username: "" - # -- use this password to authenticate to Elasticsearch if the password is not empty + # -- Use this password to authenticate to Elasticsearch if the password is not empty password: "" # -- Replace . by _ to avoid mapping conflicts, force to true if createindextemplate==true (default: false) flattenfields: false @@ -296,6 +310,18 @@ config: mutualtls: false # -- check if ssl certificate of the output is valid checkcert: true + # -- if true enables gzip compression for http requests (default: false) + enablecompression: false + # -- max number of concurrent http requests (default: 1) + maxconcurrentrequests: 1 + # -- batching configuration, improves throughput dramatically utilizing _bulk Elasticsearch API + batching: + # -- if true enables batching + enabled: true + # -- batch size in bytes (default: 5 MB) (use string to avoid the conversion into float64 by helm) + batchsize: "5242880" + # -- batch fush interval (default: 1s) + flushinterval: 1s # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` minimumpriority: "" @@ -914,6 +940,8 @@ config: token: "" # -- telegram Identifier of the shared chat chatid: "" + # -- Telegram individual chats within the group + messagethreadid: "" # -- check if ssl certificate of the output is valid checkcert: true # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" @@ -972,7 +1000,7 @@ config: # -- OTLP protocol http/json, http/protobuf, grpc (default: "" which uses SDK default: http/json) protocol: "" # -- OTLP timeout: timeout value in milliseconds (default: "" which uses SDK default: 10000) - timeout: "" + timeout: 1000 # -- OTLP headers: list of headers to apply to all outgoing traces in the form of "some-key=some-value,other-key=other-value" (default: "") headers: "" # -- Set to true if you want traces to be sent synchronously (default: false) @@ -983,10 +1011,29 @@ config: extraenvvars: {} # OTEL_EXPORTER_OTLP_TRACES_TIMEOUT: 10000 # OTEL_EXPORTER_OTLP_TIMEOUT: 10000 + # -- check if ssl certificate of the output is valid + checkcert: true # -- minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" minimumpriority: "" - # -- check if ssl certificate of the output is valid + metrics: + # -- OTLP endpoint, typically in the form http{s}://{domain or ip}:4318/v1/metrics + endpoint: "" + # -- OTLP transport protocol to be used for metrics data; it can be "grpc" or "http/protobuf" (default: "grpc") + protocol: "grpc" + # -- OTLP timeout for outgoing metrics in milliseconds (default: "" which uses SDK default: 10000) + timeout: 1000 + # -- List of headers to apply to all outgoing metrics in the form of "some-key=some-value,other-key=other-value" (default: "") + headers: "" + # -- Extra env vars (override the other settings) (default: "") + extraenvvars: [] + # - OTEL_EXPORTER_OTLP_METRICS_TIMEOUT: 10000 + # - OTEL_EXPORTER_OTLP_TIMEOUT: 10000 + # -- Comma-separated list of fields to use as labels additionally to source, priority, rule, hostname, tags, k8s_ns_name, k8s_pod_name and custom_fields + extraattributes: "" + # -- Set to false if you want to skip TLS certificate validation (only with https) (default: true) checkcert: true + # -- Minimum priority of event for using this output, order is emergency|alert|critical|error|warning|notice|informational|debug or "" (default: "") + minimumpriority: "" sumologic: # -- Sumologic HTTP Source URL, if not empty, Sumologic output is enabled @@ -1022,6 +1069,12 @@ config: # -- check if ssl certificate of the output is valid checkcert: true + webex: + # -- Webex WebhookURL, if not empty, Webex output is enabled + webhookurl: "" + # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""` + minimumpriority: "" + talon: # -- Talon address, if not empty, Talon output is enabled address: "" @@ -1143,9 +1196,9 @@ webui: # -- wait-redis initContainer image registry to pull from registry: docker.io # -- wait-redis initContainer image repository to pull from - repository: busybox + repository: redis/redis-stack # -- wait-redis initContainer image tag to pull - tag: 1.31 + tag: "7.2.0-v11" # -- wait-redis initContainer securityContext securityContext: {} # -- wait-redis initContainer resources @@ -1222,6 +1275,8 @@ webui: enabled: false # -- The URL of the external Redis database with RediSearch > v2 url: "" + # -- Set the password of the external Redis + password: "" # -- The port of the external Redis database with RediSearch > v2 port: 6379 redis: @@ -1237,6 +1292,11 @@ webui: # -- The web UI image pull policy pullPolicy: IfNotPresent + # -- List of Custom config overrides for Redis + customConfig: {} + # - maxmemory-policy allkeys-lfu + # - maxmemory 4096mb + # -- Existing secret with configuration existingSecret: "" diff --git a/helmfile.d/upstream/falcosecurity/falco/dashboards/falco-dashboard.json b/helmfile.d/upstream/falcosecurity/falco/dashboards/falco-dashboard.json new file mode 100644 index 000000000..77895d327 --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/dashboards/falco-dashboard.json @@ -0,0 +1,2631 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Falco is a cloud-native security tool designed for Linux systems. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata, to provide real-time alerts. Falco helps you gain visibility into abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "id": 41, + "links": [], + "panels": [ + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 7, + "panels": [], + "title": "Events", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 9, + "x": 0, + "y": 1 + }, + "id": 1, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule_name) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{rule_name}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Rules", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [], + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 9, + "y": 1 + }, + "id": 2, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": false, + "instant": false, + "legendFormat": "{{source}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Sources", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "fieldMinMax": false, + "mappings": [], + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "error" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "critical" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "notice" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "warning" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 7, + "x": 17, + "y": 1 + }, + "id": 3, + "options": { + "displayLabels": [ + "name" + ], + "legend": { + "displayMode": "table", + "placement": "bottom", + "showLegend": false + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{priority}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Priorities", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 0, + "y": 10 + }, + "id": 5, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(priority) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Priority over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 10 + }, + "id": 18, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(source) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Source over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.5, + "drawStyle": "bars", + "fillOpacity": 100, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "normal" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "min": 0.01, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 15, + "w": 24, + "x": 0, + "y": 24 + }, + "id": 19, + "options": { + "legend": { + "calcs": [ + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "right", + "showLegend": true, + "sortBy": "Last *", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "desc" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(rule_name) (increase(falcosecurity_falco_rules_matches_total{source=~\"$source\", priority=~\"$priority\", pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "by Rule over time", + "transformations": [ + { + "id": "renameByRegex", + "options": { + "regex": "0", + "renamePattern": "default" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "1", + "renamePattern": "debug" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "2", + "renamePattern": "informational" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "3", + "renamePattern": "notice" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "4", + "renamePattern": "warning" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "5", + "renamePattern": "error" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "6", + "renamePattern": "critical" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "7", + "renamePattern": "alert" + } + }, + { + "id": "renameByRegex", + "options": { + "regex": "8", + "renamePattern": "emergency" + } + } + ], + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 8, + "panels": [], + "title": "Performances", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 1, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "total" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "total" + }, + "properties": [ + { + "id": "custom.lineStyle", + "value": { + "dash": [ + 10, + 10 + ], + "fill": "dash" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 24, + "x": 0, + "y": 40 + }, + "id": 9, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "lastNotNull" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum by(pod) (increase(falcosecurity_scap_n_evts_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "prometheus" + }, + "disableTextWrap": false, + "editorMode": "builder", + "exemplar": false, + "expr": "sum(irate(falcosecurity_falco_n_evts_total[$__interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "interval": "1m", + "legendFormat": "total", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Scap events by instance over time", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 0, + "y": 50 + }, + "id": 10, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_rss_bytes{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Memory RSS", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 12, + "y": 50 + }, + "id": 13, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Last", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_vsz_bytes{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - {{raw_name}}", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod, raw_name) (falcosecurity_falco_memory_vsz_bytes)", + "fullMetaSearch": false, + "hide": true, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "B", + "useBackend": false + } + ], + "title": "Memory VSZ", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 24, + "x": 0, + "y": 62 + }, + "id": 11, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "avg by(pod) (falcosecurity_falco_cpu_usage_ratio{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "CPU", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 0, + "y": 74 + }, + "id": 14, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops total", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 12, + "y": 74 + }, + "id": 24, + "options": { + "legend": { + "calcs": [ + "min", + "max", + "mean", + "last" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_falco_outputs_queue_num_drops_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Queue Drops", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 16, + "w": 12, + "x": 0, + "y": 86 + }, + "id": 20, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"clone_fork\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - clone_fork", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"connect\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - connect", + "range": true, + "refId": "B", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"dir_file\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - dir_file", + "range": true, + "refId": "C", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"execve\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - execve", + "range": true, + "refId": "D", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"open\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - open", + "range": true, + "refId": "E", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"enter\", drop=\"other_interest\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - other_interest", + "range": true, + "refId": "F", + "useBackend": false + } + ], + "title": "Scap Drops Buffer Enter", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 16, + "w": 12, + "x": 12, + "y": 86 + }, + "id": 26, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true, + "sortBy": "Max", + "sortDesc": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"clone_fork\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - clone_fork", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"connect\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - connect", + "range": true, + "refId": "B", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"dir_file\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - dir_file", + "range": true, + "refId": "C", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"execve\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - execve", + "range": true, + "refId": "D", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"open\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - open", + "range": true, + "refId": "E", + "useBackend": false + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_buffer_total{pod=~\"$pod\", dir=\"exit\", drop=\"other_interest\"}[$__rate_interval]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}} - other_interest", + "range": true, + "refId": "F", + "useBackend": false + } + ], + "title": "Scap Drops Buffer Exit", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 0, + "y": 102 + }, + "id": 21, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_cpu_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops CPU", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 8, + "y": 102 + }, + "id": 22, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_full_threadtable_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops Full Threadtable", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "barWidthFactor": 0.6, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green" + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 8, + "x": 16, + "y": 102 + }, + "id": 23, + "options": { + "legend": { + "calcs": [ + "max", + "mean" + ], + "displayMode": "table", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "sum by(pod) (increase(falcosecurity_scap_n_drops_scratch_map_total{pod=~\"$pod\"}[$__rate_interval]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "{{pod}}", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Scap Drops Scratch Map", + "type": "timeseries" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 114 + }, + "id": 15, + "panels": [], + "title": "Fleet", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 6, + "x": 0, + "y": 115 + }, + "id": 16, + "options": { + "displayLabels": [ + "name", + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "count by(version) (falcosecurity_falco_version_info{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Versions", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [] + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 6, + "x": 6, + "y": 115 + }, + "id": 17, + "options": { + "displayLabels": [ + "name", + "value" + ], + "legend": { + "displayMode": "list", + "placement": "bottom", + "showLegend": true, + "values": [] + }, + "pieType": "pie", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "multi", + "sort": "none" + } + }, + "pluginVersion": "11.3.0-77222", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "disableTextWrap": false, + "editorMode": "builder", + "expr": "count by(engine_name) (falcosecurity_scap_engine_name_info{pod=~\"$pod\"})", + "fullMetaSearch": false, + "includeNullMetadata": true, + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Engines", + "type": "piechart" + } + ], + "preload": false, + "refresh": "", + "schemaVersion": 40, + "tags": [ + "falco", + "kubernetes", + "security" + ], + "templating": { + "list": [ + { + "current": { + "text": "grafanacloud-issif-prom", + "value": "grafanacloud-prom" + }, + "name": "datasource", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "type": "datasource" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_cpu_usage_ratio,namespace)", + "includeAll": true, + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_cpu_usage_ratio,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 1, + "regex": "", + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_cpu_usage_ratio{namespace=~\"$namespace\"},pod)", + "includeAll": true, + "multi": true, + "name": "pod", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_cpu_usage_ratio{namespace=~\"$namespace\"},pod)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 1, + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "includeAll": true, + "label": "source", + "multi": true, + "name": "source", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", pod=~\"$pod\"},source)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 4, + "type": "query" + }, + { + "current": { + "text": [ + "All" + ], + "value": [ + "$__all" + ] + }, + "datasource": { + "type": "prometheus", + "uid": "${datasource}" + }, + "definition": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "includeAll": true, + "label": "priority", + "multi": true, + "name": "priority", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(falcosecurity_falco_rules_matches_total{namespace=~\"$namespace\", source=~\"$source\"},priority)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "sort": 4, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "browser", + "title": "Falco", + "uid": "ddwe2ug4nfi0wb", + "version": 46, + "weekStart": "" +} \ No newline at end of file diff --git a/helmfile.d/upstream/falcosecurity/falco/templates/_helpers.tpl b/helmfile.d/upstream/falcosecurity/falco/templates/_helpers.tpl index f611a5397..284caae3e 100644 --- a/helmfile.d/upstream/falcosecurity/falco/templates/_helpers.tpl +++ b/helmfile.d/upstream/falcosecurity/falco/templates/_helpers.tpl @@ -280,8 +280,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- with .Values.falcoctl.artifact.install.mounts.volumeMounts }} {{- toYaml . | nindent 4 }} {{- end }} - env: {{- if .Values.falcoctl.artifact.install.env }} + env: {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.install.env "context" $) | nindent 4 }} {{- end }} {{- end -}} @@ -314,8 +314,8 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- with .Values.falcoctl.artifact.follow.mounts.volumeMounts }} {{- toYaml . | nindent 4 }} {{- end }} - env: {{- if .Values.falcoctl.artifact.follow.env }} + env: {{- include "falco.renderTemplate" ( dict "value" .Values.falcoctl.artifact.follow.env "context" $) | nindent 4 }} {{- end }} {{- end -}} @@ -361,7 +361,7 @@ be temporary and will stay here until we move this logic to the falcoctl tool. {{- if not $hasConfig -}} {{- $listenPort := default (index .Values "k8s-metacollector" "service" "ports" "broker-grpc" "port") .Values.collectors.kubernetes.collectorPort -}} {{- $listenPort = int $listenPort -}} -{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}") -}} +{{- $pluginConfig := dict "name" "k8smeta" "library_path" "libk8smeta.so" "init_config" (dict "collectorHostname" $hostname "collectorPort" $listenPort "nodeName" "${FALCO_K8S_NODE_NAME}" "verbosity" .Values.collectors.kubernetes.verbosity "hostProc" .Values.collectors.kubernetes.hostProc) -}} {{- $newConfig := append .Values.falco.plugins $pluginConfig -}} {{- $_ := set .Values.falco "plugins" ($newConfig | uniq) -}} {{- $loadedPlugins := append .Values.falco.load_plugins "k8smeta" -}} @@ -427,6 +427,7 @@ Based on the use input it populates the metrics configuration in the falco confi {{- $_ = set .Values.falco.metrics "resource_utilization_enabled" .Values.metrics.resourceUtilizationEnabled -}} {{- $_ = set .Values.falco.metrics "state_counters_enabled" .Values.metrics.stateCountersEnabled -}} {{- $_ = set .Values.falco.metrics "kernel_event_counters_enabled" .Values.metrics.kernelEventCountersEnabled -}} +{{- $_ = set .Values.falco.metrics "kernel_event_counters_per_cpu_enabled" .Values.metrics.kernelEventCountersPerCPUEnabled -}} {{- $_ = set .Values.falco.metrics "libbpf_stats_enabled" .Values.metrics.libbpfStatsEnabled -}} {{- $_ = set .Values.falco.metrics "convert_memory_to_mb" .Values.metrics.convertMemoryToMB -}} {{- $_ = set .Values.falco.metrics "include_empty_values" .Values.metrics.includeEmptyValues -}} diff --git a/helmfile.d/upstream/falcosecurity/falco/templates/falco-dashboard-grafana.yaml b/helmfile.d/upstream/falcosecurity/falco/templates/falco-dashboard-grafana.yaml new file mode 100644 index 000000000..2361f737b --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/templates/falco-dashboard-grafana.yaml @@ -0,0 +1,22 @@ +{{- if .Values.grafana.dashboards.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.grafana.dashboards.configMaps.falco.name }} + {{ if .Values.grafana.dashboards.configMaps.falco.namespace }} + namespace: {{ .Values.grafana.dashboards.configMaps.falco.namespace }} + {{- else -}} + namespace: {{ include "falco.namespace" . }} + {{- end }} + labels: + {{- include "falco.labels" . | nindent 4 }} + grafana_dashboard: "1" + {{- if .Values.grafana.dashboards.configMaps.falco.folder }} + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/{{ .Values.grafana.dashboards.configMaps.falco.folder}} + grafana_dashboard_folder: {{ .Values.grafana.dashboards.configMaps.falco.folder }} + {{- end }} +data: + falco-dashboard.json: |- + {{- .Files.Get "dashboards/falco-dashboard.json" | nindent 4 }} + {{- end -}} diff --git a/helmfile.d/upstream/falcosecurity/falco/templates/pod-template.tpl b/helmfile.d/upstream/falcosecurity/falco/templates/pod-template.tpl index 1a098b3d0..aa7eb3470 100644 --- a/helmfile.d/upstream/falcosecurity/falco/templates/pod-template.tpl +++ b/helmfile.d/upstream/falcosecurity/falco/templates/pod-template.tpl @@ -12,6 +12,17 @@ metadata: {{- if and .Values.certs (not .Values.certs.existingSecret) }} checksum/certs: {{ include (print $.Template.BasePath "/certs-secret.yaml") . | sha256sum }} {{- end }} + {{- if .Values.driver.enabled }} + {{- if (or (eq .Values.driver.kind "modern_ebpf") (eq .Values.driver.kind "modern-bpf")) }} + {{- if .Values.driver.modernEbpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- else if eq .Values.driver.kind "ebpf" }} + {{- if .Values.driver.ebpf.leastPrivileged }} + container.apparmor.security.beta.kubernetes.io/{{ .Chart.Name }}: unconfined + {{- end }} + {{- end }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 4 }} {{- end }} @@ -49,6 +60,7 @@ spec: {{- if eq .Values.driver.kind "gvisor" }} hostNetwork: true hostPID: true + dnsPolicy: ClusterFirstWithHostNet {{- end }} containers: - name: {{ .Chart.Name }} @@ -128,13 +140,15 @@ spec: - mountPath: /usr/share/falco/plugins name: plugins-install-dir {{- end }} + {{- end }} + {{- if eq (include "driverLoader.enabled" .) "true" }} + - mountPath: /etc/falco/config.d + name: specialized-falco-configs {{- end }} - mountPath: /root/.falco name: root-falco-fs - {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} - mountPath: /host/proc name: proc-fs - {{- end }} {{- if and .Values.driver.enabled (not .Values.driver.loader.enabled) }} readOnly: true - mountPath: /host/boot @@ -227,6 +241,10 @@ spec: {{- include "falcoctl.initContainer" . | nindent 4 }} {{- end }} volumes: + {{- if eq (include "driverLoader.enabled" .) "true" }} + - name: specialized-falco-configs + emptyDir: {} + {{- end }} {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} - name: plugins-install-dir emptyDir: {} @@ -281,11 +299,9 @@ spec: {{- end }} {{- end }} {{- end }} - {{- if or .Values.driver.enabled .Values.mounts.enforceProcMount }} - name: proc-fs hostPath: path: /proc - {{- end }} {{- if eq .Values.driver.kind "gvisor" }} - name: runsc-path hostPath: @@ -384,6 +400,8 @@ spec: - mountPath: /host/etc name: etc-fs readOnly: true + - mountPath: /etc/falco/config.d + name: specialized-falco-configs env: - name: HOST_ROOT value: /host @@ -395,6 +413,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP + value: {{ include "falco.fullname" . }} {{- else }} - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO value: "false" diff --git a/helmfile.d/upstream/falcosecurity/falco/templates/service.yaml b/helmfile.d/upstream/falcosecurity/falco/templates/service.yaml index d2093ec22..4121a5032 100644 --- a/helmfile.d/upstream/falcosecurity/falco/templates/service.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/templates/service.yaml @@ -6,7 +6,14 @@ metadata: namespace: {{ include "falco.namespace" . }} labels: {{- include "falco.labels" . | nindent 4 }} + {{- with .Values.metrics.service.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} type: "falco-metrics" + {{- with .Values.metrics.service.annotations }} + annotations: + {{ toYaml . | nindent 4 }} + {{- end }} spec: type: {{ .Values.metrics.service.type }} ports: diff --git a/helmfile.d/upstream/falcosecurity/falco/templates/serviceMonitor.yaml b/helmfile.d/upstream/falcosecurity/falco/templates/serviceMonitor.yaml index 0dea6dd6e..6a80b7137 100644 --- a/helmfile.d/upstream/falcosecurity/falco/templates/serviceMonitor.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/templates/serviceMonitor.yaml @@ -37,6 +37,9 @@ spec: selector: matchLabels: {{- include "falco.selectorLabels" . | nindent 6 }} + {{- with .Values.serviceMonitor.selector }} + {{- toYaml . | nindent 6 }} + {{- end }} type: "falco-metrics" namespaceSelector: matchNames: diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/chartInfo.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/chartInfo.go new file mode 100644 index 000000000..11b4b3d9c --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/chartInfo.go @@ -0,0 +1,34 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "gopkg.in/yaml.v3" +) + +func chartInfo(t *testing.T, chartPath string) (map[string]interface{}, error) { + // Get chart info. + output, err := helm.RunHelmCommandAndGetOutputE(t, &helm.Options{}, "show", "chart", chartPath) + if err != nil { + return nil, err + } + chartInfo := map[string]interface{}{} + err = yaml.Unmarshal([]byte(output), &chartInfo) + return chartInfo, err +} diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/driverLoader_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/driverLoader_test.go index d61990413..6e4fe4273 100644 --- a/helmfile.d/upstream/falcosecurity/falco/tests/unit/driverLoader_test.go +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/driverLoader_test.go @@ -36,6 +36,11 @@ var ( }, }} + configmapEnvVar = v1.EnvVar{ + Name: "FALCOCTL_DRIVER_CONFIG_CONFIGMAP", + Value: releaseName + "-falco", + } + updateConfigMapEnvVar = v1.EnvVar{ Name: "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO", Value: "false", @@ -64,7 +69,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "auto") require.True(t, *container.SecurityContext.Privileged) require.Contains(t, container.Env, namespaceEnvVar) + require.Contains(t, container.Env, configmapEnvVar) require.NotContains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -124,7 +133,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -139,7 +152,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -155,6 +172,10 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Nil(t, container.SecurityContext) require.NotContains(t, container.Env, namespaceEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -190,3 +211,55 @@ func TestDriverLoaderEnabled(t *testing.T) { }) } } + +// volumenMounts checks that the expected volume mounts have been configured. +func volumeMounts(t *testing.T, volumeMounts []v1.VolumeMount) { + rootFalcoFS := v1.VolumeMount{ + Name: "root-falco-fs", + ReadOnly: false, + MountPath: "/root/.falco", + } + require.Contains(t, volumeMounts, rootFalcoFS) + + procFS := v1.VolumeMount{ + Name: "proc-fs", + ReadOnly: true, + MountPath: "/host/proc", + } + require.Contains(t, volumeMounts, procFS) + + bootFS := v1.VolumeMount{ + Name: "boot-fs", + ReadOnly: true, + MountPath: "/host/boot", + } + require.Contains(t, volumeMounts, bootFS) + + libModulesFS := v1.VolumeMount{ + Name: "lib-modules", + ReadOnly: false, + MountPath: "/host/lib/modules", + } + require.Contains(t, volumeMounts, libModulesFS) + + usrFS := v1.VolumeMount{ + Name: "usr-fs", + ReadOnly: true, + MountPath: "/host/usr", + } + require.Contains(t, volumeMounts, usrFS) + + etcFS := v1.VolumeMount{ + Name: "etc-fs", + ReadOnly: true, + MountPath: "/host/etc", + } + require.Contains(t, volumeMounts, etcFS) + + specializedFalcoConfigs := v1.VolumeMount{ + Name: "specialized-falco-configs", + ReadOnly: false, + MountPath: "/etc/falco/config.d", + } + require.Contains(t, volumeMounts, specializedFalcoConfigs) +} diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/grafanaDashboards_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/grafanaDashboards_test.go new file mode 100644 index 000000000..75aa76df4 --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/grafanaDashboards_test.go @@ -0,0 +1,144 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "io" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type grafanaDashboardsTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestGrafanaDashboardsTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &grafanaDashboardsTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "falco-test-dashboard", + namespace: "falco-test-dashboard", + templates: []string{"templates/falco-dashboard-grafana.yaml"}, + }) +} + +func (g *grafanaDashboardsTemplateTest) TestCreationDefaultValues() { + // Render the dashboard configmap and check that it has not been rendered. + _, err := helm.RenderTemplateE(g.T(), &helm.Options{}, g.chartPath, g.releaseName, g.templates, fmt.Sprintf("--namespace=%s", g.namespace)) + g.Error(err, "should error") + g.Equal("error while running command: exit status 1; Error: could not find template templates/falco-dashboard-grafana.yaml in chart", err.Error()) +} + +func (g *grafanaDashboardsTemplateTest) TestConfig() { + testCases := []struct { + name string + values map[string]string + expected func(cm *corev1.ConfigMap) + }{ + {"dashboard enabled", + map[string]string{ + "grafana.dashboards.enabled": "true", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal(g.namespace, cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"namespace", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.falco.namespace": "custom-namespace", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + // Check the namespace. + g.Equal("custom-namespace", cm.Namespace) + g.Nil(cm.Annotations) + }, + }, + {"folder", + map[string]string{ + "grafana.dashboards.enabled": "true", + "grafana.dashboards.configMaps.falco.folder": "custom-folder", + }, + func(cm *corev1.ConfigMap) { + // Check that the name is the expected one. + g.Equal("falco-grafana-dashboard", cm.Name) + g.NotNil(cm.Annotations) + g.Len(cm.Annotations, 2) + // Check sidecar annotation. + val, ok := cm.Annotations["k8s-sidecar-target-directory"] + g.True(ok) + g.Equal("/tmp/dashboards/custom-folder", val) + // Check grafana annotation. + val, ok = cm.Annotations["grafana_dashboard_folder"] + g.True(ok) + g.Equal("custom-folder", val) + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + g.Run(testCase.name, func() { + subT := g.T() + subT.Parallel() + + options := &helm.Options{SetValues: testCase.values} + + // Render the configmap unmarshal it. + output, err := helm.RenderTemplateE(subT, options, g.chartPath, g.releaseName, g.templates, "--namespace="+g.namespace) + g.NoError(err, "should succeed") + var cfgMap corev1.ConfigMap + helm.UnmarshalK8SYaml(subT, output, &cfgMap) + + // Common checks + // Check that contains the right label. + g.Contains(cfgMap.Labels, "grafana_dashboard") + // Check that the dashboard is contained in the config map. + file, err := os.Open("../../dashboards/falco-dashboard.json") + g.NoError(err) + content, err := io.ReadAll(file) + g.NoError(err) + cfgData, ok := cfgMap.Data["falco-dashboard.json"] + g.True(ok) + g.Equal(strings.TrimRight(string(content), "\n"), cfgData) + testCase.expected(&cfgMap) + }) + } +} diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/k8smetacollectorDependency_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/k8smetacollectorDependency_test.go index 88e3954f7..f06ea4d4e 100644 --- a/helmfile.d/upstream/falcosecurity/falco/tests/unit/k8smetacollectorDependency_test.go +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/k8smetacollectorDependency_test.go @@ -23,10 +23,11 @@ import ( "strings" "testing" + "slices" + "github.com/gruntwork-io/terratest/modules/helm" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" - "slices" ) const chartPath = "../../" @@ -114,6 +115,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -124,7 +126,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) - + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] require.Equal(t, "libk8smeta.so", libPath) @@ -140,6 +147,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -150,6 +158,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.test.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -166,6 +180,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -176,6 +191,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "collector.default.svc", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -194,6 +215,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -204,6 +226,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "collector.test.svc", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -220,6 +248,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -230,6 +259,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "test", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -249,6 +284,7 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Get init config. initConfig, ok := plugin["init_config"] require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") initConfigMap := initConfig.(map[string]interface{}) // Check that the collector port is correctly set. port := initConfigMap["collectorPort"] @@ -259,6 +295,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, "test-with-override", hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -286,6 +328,12 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { // Check that the collector hostname is correctly set. hostName := initConfigMap["collectorHostname"] require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "info", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host", hostProc.(string)) // Check that the library path is set. libPath := plugin["library_path"] @@ -293,7 +341,40 @@ func TestPluginConfigurationInFalcoConfig(t *testing.T) { }, }, { - "drive disabled", + "set collector logger level and hostProc", + map[string]string{ + "collectors.kubernetes.verbosity": "trace", + "collectors.kubernetes.hostProc": "/host/test", + }, + func(t *testing.T, config any) { + plugin := config.(map[string]interface{}) + // Get init config. + initConfig, ok := plugin["init_config"] + require.True(t, ok) + require.Len(t, initConfig, 5, "checking number of config entries in the init section") + initConfigMap := initConfig.(map[string]interface{}) + // Check that the collector port is correctly set. + port := initConfigMap["collectorPort"] + require.Equal(t, float64(45000), port.(float64)) + // Check that the collector nodeName is correctly set. + nodeName := initConfigMap["nodeName"] + require.Equal(t, "${FALCO_K8S_NODE_NAME}", nodeName.(string)) + // Check that the collector hostname is correctly set. + hostName := initConfigMap["collectorHostname"] + require.Equal(t, fmt.Sprintf("%s-k8s-metacollector.default.svc", releaseName), hostName.(string)) + // Check that the loglevel has been set. + verbosity := initConfigMap["verbosity"] + require.Equal(t, "trace", verbosity.(string)) + // Check that host proc fs has been set. + hostProc := initConfigMap["hostProc"] + require.Equal(t, "/host/test", hostProc.(string)) + // Check that the library path is set. + libPath := plugin["library_path"] + require.Equal(t, "libk8smeta.so", libPath) + }, + }, + { + "driver disabled", map[string]string{ "driver.enabled": "false", }, @@ -462,7 +543,7 @@ func TestFalcoctlRefs(t *testing.T) { refs := artifactConfig["install"].(map[string]interface{})["refs"].([]interface{}) require.Len(t, refs, 2) require.True(t, slices.Contains(refs, "falco-rules:3")) - require.True(t, slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.0")) + require.True(t, slices.Contains(refs, "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1")) } testCases := []struct { diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/metricsConfig_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/metricsConfig_test.go index 2d0cc33da..e983f58cf 100644 --- a/helmfile.d/upstream/falcosecurity/falco/tests/unit/metricsConfig_test.go +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/metricsConfig_test.go @@ -26,16 +26,17 @@ import ( ) type metricsConfig struct { - Enabled bool `yaml:"enabled"` - ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"` - IncludeEmptyValues bool `yaml:"include_empty_values"` - KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"` - ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"` - RulesCountersEnabled bool `yaml:"rules_counters_enabled"` - LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"` - OutputRule bool `yaml:"output_rule"` - StateCountersEnabled bool `yaml:"state_counters_enabled"` - Interval string `yaml:"interval"` + Enabled bool `yaml:"enabled"` + ConvertMemoryToMB bool `yaml:"convert_memory_to_mb"` + IncludeEmptyValues bool `yaml:"include_empty_values"` + KernelEventCountersEnabled bool `yaml:"kernel_event_counters_enabled"` + KernelEventCountersPerCPUEnabled bool `yaml:"kernel_event_counters_per_cpu_enabled"` + ResourceUtilizationEnabled bool `yaml:"resource_utilization_enabled"` + RulesCountersEnabled bool `yaml:"rules_counters_enabled"` + LibbpfStatsEnabled bool `yaml:"libbpf_stats_enabled"` + OutputRule bool `yaml:"output_rule"` + StateCountersEnabled bool `yaml:"state_counters_enabled"` + Interval string `yaml:"interval"` } type webServerConfig struct { @@ -63,7 +64,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { "defaultValues", nil, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -78,6 +79,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.True(t, metrics.LibbpfStatsEnabled) require.True(t, metrics.OutputRule) require.True(t, metrics.StateCountersEnabled) + require.False(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) @@ -92,7 +94,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { "metrics.enabled": "true", }, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -107,6 +109,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.True(t, metrics.LibbpfStatsEnabled) require.False(t, metrics.OutputRule) require.True(t, metrics.StateCountersEnabled) + require.False(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) @@ -118,19 +121,20 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { { "Flip/Change Values", map[string]string{ - "metrics.enabled": "true", - "metrics.convertMemoryToMB": "false", - "metrics.includeEmptyValues": "true", - "metrics.kernelEventCountersEnabled": "false", - "metrics.resourceUtilizationEnabled": "false", - "metrics.rulesCountersEnabled": "false", - "metrics.libbpfStatsEnabled": "false", - "metrics.outputRule": "false", - "metrics.stateCountersEnabled": "false", - "metrics.interval": "1s", + "metrics.enabled": "true", + "metrics.convertMemoryToMB": "false", + "metrics.includeEmptyValues": "true", + "metrics.kernelEventCountersEnabled": "false", + "metrics.resourceUtilizationEnabled": "false", + "metrics.rulesCountersEnabled": "false", + "metrics.libbpfStatsEnabled": "false", + "metrics.outputRule": "false", + "metrics.stateCountersEnabled": "false", + "metrics.interval": "1s", + "metrics.kernelEventCountersPerCPUEnabled": "true", }, func(t *testing.T, metricsConfig, webServerConfig any) { - require.Len(t, metricsConfig, 10, "should have ten items") + require.Len(t, metricsConfig, 11, "should have ten items") metrics, err := getMetricsConfig(metricsConfig) require.NoError(t, err) @@ -145,6 +149,7 @@ func TestMetricsConfigInFalcoConfig(t *testing.T) { require.False(t, metrics.LibbpfStatsEnabled) require.False(t, metrics.OutputRule) require.False(t, metrics.StateCountersEnabled) + require.True(t, metrics.KernelEventCountersPerCPUEnabled) webServer, err := getWebServerConfig(webServerConfig) require.NoError(t, err) diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceMonitorTemplate_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceMonitorTemplate_test.go index b2fcb3745..ea914e281 100644 --- a/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceMonitorTemplate_test.go +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceMonitorTemplate_test.go @@ -83,7 +83,12 @@ func (s *serviceMonitorTemplateTest) TestEndpoint() { } func (s *serviceMonitorTemplateTest) TestNamespaceSelector() { - options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}} + selectorsLabelJson := `{ + "app.kubernetes.io/instance": "my-falco", + "foo": "bar" + }` + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}, + SetJsonValues: map[string]string{"serviceMonitor.selector": selectorsLabelJson}} output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) var svcMonitor monitoringv1.ServiceMonitor @@ -91,3 +96,64 @@ func (s *serviceMonitorTemplateTest) TestNamespaceSelector() { s.Len(svcMonitor.Spec.NamespaceSelector.MatchNames, 1) s.Equal("default", svcMonitor.Spec.NamespaceSelector.MatchNames[0]) } + +func (s *serviceMonitorTemplateTest) TestServiceMonitorSelector() { + testCases := []struct { + name string + values string + expected map[string]string + }{ + { + "defaultValues", + "", + map[string]string{ + "app.kubernetes.io/instance": "falco-test", + "app.kubernetes.io/name": "falco", + "type": "falco-metrics", + }, + }, + { + "customValues", + `{ + "foo": "bar" + }`, + map[string]string{ + "app.kubernetes.io/instance": "falco-test", + "app.kubernetes.io/name": "falco", + "foo": "bar", + "type": "falco-metrics", + }, + }, + { + "overwriteDefaultValues", + `{ + "app.kubernetes.io/instance": "falco-overwrite", + "foo": "bar" + }`, + map[string]string{ + "app.kubernetes.io/instance": "falco-overwrite", + "app.kubernetes.io/name": "falco", + "foo": "bar", + "type": "falco-metrics", + }, + }, + } + + for _, testCase := range testCases { + testCase := testCase + + s.Run(testCase.name, func() { + subT := s.T() + subT.Parallel() + + options := &helm.Options{SetValues: map[string]string{"serviceMonitor.create": "true"}, + SetJsonValues: map[string]string{"serviceMonitor.selector": testCase.values}} + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.releaseName, s.templates) + + var svcMonitor monitoringv1.ServiceMonitor + helm.UnmarshalK8SYaml(s.T(), output, &svcMonitor) + + s.Equal(testCase.expected, svcMonitor.Spec.Selector.MatchLabels, "should be the same") + }) + } +} diff --git a/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceTemplate_test.go b/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceTemplate_test.go new file mode 100644 index 000000000..861159a6c --- /dev/null +++ b/helmfile.d/upstream/falcosecurity/falco/tests/unit/serviceTemplate_test.go @@ -0,0 +1,178 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 The Falco Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package unit + +import ( + "fmt" + "path/filepath" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/stretchr/testify/require" + "github.com/stretchr/testify/suite" + corev1 "k8s.io/api/core/v1" +) + +type serviceTemplateTest struct { + suite.Suite + chartPath string + releaseName string + namespace string + templates []string +} + +func TestServiceTemplate(t *testing.T) { + t.Parallel() + + chartFullPath, err := filepath.Abs(chartPath) + require.NoError(t, err) + + suite.Run(t, &serviceTemplateTest{ + Suite: suite.Suite{}, + chartPath: chartFullPath, + releaseName: "falco-test", + namespace: "falco-namespace-test", + templates: []string{"templates/service.yaml"}, + }) +} + +func (s *serviceTemplateTest) TestCreationDefaultValues() { + // Render the service and check that it has not been rendered. + _, err := helm.RenderTemplateE(s.T(), &helm.Options{}, s.chartPath, s.releaseName, s.templates) + s.Error(err, "should error") + s.Equal("error while running command: exit status 1; Error: could not find template templates/service.yaml in chart", err.Error()) +} + +func (s *serviceTemplateTest) TestDefaultLabelsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.NoError(err, "should render template") + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + "type": "falco-metrics", + } + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + + for key, value := range expectedLabels { + expectedVal := labels[key] + s.Equal(expectedVal, value) + } +} + + +func (s *serviceTemplateTest) TestCustomLabelsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true", + "metrics.service.labels.customLabel": "customLabelValues"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + + + s.NoError(err, "should render template") + + cInfo, err := chartInfo(s.T(), s.chartPath) + s.NoError(err) + // Get app version. + appVersion, found := cInfo["appVersion"] + s.True(found, "should find app version in chart info") + appVersion = appVersion.(string) + // Get chart version. + chartVersion, found := cInfo["version"] + s.True(found, "should find chart version in chart info") + // Get chart name. + chartName, found := cInfo["name"] + s.True(found, "should find chart name in chart info") + chartName = chartName.(string) + expectedLabels := map[string]string{ + "helm.sh/chart": fmt.Sprintf("%s-%s", chartName, chartVersion), + "app.kubernetes.io/name": chartName.(string), + "app.kubernetes.io/instance": s.releaseName, + "app.kubernetes.io/version": appVersion.(string), + "app.kubernetes.io/managed-by": "Helm", + "type": "falco-metrics", + "customLabel": "customLabelValues", + } + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + labels := svc.GetLabels() + for key, value := range labels { + expectedVal := expectedLabels[key] + s.Equal(expectedVal, value) + } + + for key, value := range expectedLabels { + expectedVal := labels[key] + s.Equal(expectedVal, value) + } + +} + +func (s *serviceTemplateTest) TestDefaultAnnotationsValues() { + options := &helm.Options{SetValues: map[string]string{"metrics.enabled": "true"}} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + + s.NoError(err) + + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + s.Nil(svc.Annotations, "should be nil") +} + +func (s *serviceTemplateTest) TestCustomAnnotationsValues() { + values := map[string]string{ + "metrics.enabled": "true", + "metrics.service.annotations.annotation1": "customAnnotation1", + "metrics.service.annotations.annotation2": "customAnnotation2", + } + annotations := map[string]string{ + "annotation1": "customAnnotation1", + "annotation2": "customAnnotation2", + } + options := &helm.Options{SetValues: values} + output, err := helm.RenderTemplateE(s.T(), options, s.chartPath, s.releaseName, s.templates) + s.NoError(err) + + var svc corev1.Service + helm.UnmarshalK8SYaml(s.T(), output, &svc) + s.Len(svc.Annotations, 2) + + for key, value := range svc.Annotations { + expectedVal := annotations[key] + s.Equal(expectedVal, value) + } +} \ No newline at end of file diff --git a/helmfile.d/upstream/falcosecurity/falco/values-k8saudit.yaml b/helmfile.d/upstream/falcosecurity/falco/values-k8saudit.yaml index 1bc9953fe..4e1e19cfc 100644 --- a/helmfile.d/upstream/falcosecurity/falco/values-k8saudit.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/values-k8saudit.yaml @@ -14,7 +14,6 @@ controller: # For more info check the section on Plugins in the README.md file. replicas: 1 - falcoctl: artifact: install: @@ -27,10 +26,10 @@ falcoctl: artifact: install: # -- List of artifacts to be installed by the falcoctl init container. - refs: [k8saudit-rules:0.7] + refs: [k8saudit-rules:0.11, k8saudit:0.11] follow: # -- List of artifacts to be followed by the falcoctl sidecar container. - refs: [k8saudit-rules:0.7] + refs: [k8saudit-rules:0.11] services: - name: k8saudit-webhook diff --git a/helmfile.d/upstream/falcosecurity/falco/values-syscall-k8saudit.yaml b/helmfile.d/upstream/falcosecurity/falco/values-syscall-k8saudit.yaml index 1dc91145e..bedc9020c 100644 --- a/helmfile.d/upstream/falcosecurity/falco/values-syscall-k8saudit.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/values-syscall-k8saudit.yaml @@ -30,10 +30,10 @@ falcoctl: artifact: install: # -- List of artifacts to be installed by the falcoctl init container. - refs: [falco-rules:3, k8saudit-rules:0.7] + refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11] follow: # -- List of artifacts to be followed by the falcoctl sidecar container. - refs: [falco-rules:3, k8saudit-rules:0.7] + refs: [falco-rules:3, k8saudit-rules:0.11, k8saudit:0.11] services: - name: k8saudit-webhook diff --git a/helmfile.d/upstream/falcosecurity/falco/values.yaml b/helmfile.d/upstream/falcosecurity/falco/values.yaml index bd8f2a61a..c73f6b6d1 100644 --- a/helmfile.d/upstream/falcosecurity/falco/values.yaml +++ b/helmfile.d/upstream/falcosecurity/falco/values.yaml @@ -240,6 +240,8 @@ metrics: convertMemoryToMB: true # -- includeEmptyValues specifies whether the empty values should be included in the metrics. includeEmptyValues: false + # -- kernelEventCountersPerCPUEnabled specifies whether the event counters per cpu should be enabled. + kernelEventCountersPerCPUEnabled: false # -- service exposes the metrics service to be accessed from within the cluster. # ref: https://kubernetes.io/docs/concepts/services-networking/service/ service: @@ -248,6 +250,10 @@ metrics: # -- type denotes the service type. Setting it to "ClusterIP" we ensure that are accessible # from within the cluster. type: ClusterIP + # -- labels to add to the service. + labels: {} + # -- annotations to add to the service. + annotations: {} # -- ports denotes all the ports on which the Service will listen. ports: # -- metrics denotes a listening service named "metrics". @@ -265,8 +271,6 @@ mounts: volumes: [] # -- A list of volumes you want to add to the Falco pods. volumeMounts: [] - # -- By default, `/proc` from the host is only mounted into the Falco pod when `driver.enabled` is set to `true`. This flag allows it to override this behaviour for edge cases where `/proc` is needed but syscall data source is not enabled at the same time (e.g. for specific plugins). - enforceProcMount: false # Driver settings (scenario requirement) driver: @@ -388,7 +392,7 @@ collectors: enabled: false # --pluginRef is the OCI reference for the k8smeta plugin. It could be a full reference such as: # "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0". Or just name + tag: k8smeta:0.1.0. - pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.0" + pluginRef: "ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.2.1" # -- collectorHostname is the address of the k8s-metacollector. When not specified it will be set to match # k8s-metacollector service. e.x: falco-k8smetacollecto.falco.svc. If for any reason you need to override # it, make sure to set here the address of the k8s-metacollector. @@ -398,6 +402,13 @@ collectors: # the value of the port named `broker-grpc` in k8s-metacollector.service.ports is used. The default values is 45000. # It is used by the k8smeta plugin to connect to the k8s-metacollector. collectorPort: "" + # verbosity level for the plugin logger: trace, debug, info, warning, error, critical. + verbosity: info + # The plugin needs to scan the '/proc' of the host on which is running. + # In Falco usually we put the host '/proc' folder under '/host/proc' so + # the default for this config is '/host'. + # The path used here must not have a final '/'. + hostProc: /host ########################### @@ -471,7 +482,7 @@ falcoctl: # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- The image tag to pull. - tag: "0.9.0" + tag: "0.10.1" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume. @@ -584,6 +595,22 @@ serviceMonitor: # for Falco's metrics. endpointPort: "metrics" +# -- grafana contains the configuration related to grafana. +grafana: + # -- dashboards contains configuration for grafana dashboards. + dashboards: + # -- enabled specifies whether the dashboards should be deployed. + enabled: false + # --configmaps to be deployed that contain a grafana dashboard. + configMaps: + # -- falco contains the configuration for falco's dashboard. + falco: + # -- name specifies the name for the configmap. + name: falco-grafana-dashboard + # -- namespace specifies the namespace for the configmap. + namespace: "" + # -- folder where the dashboard is stored by grafana. + folder: "" ###################### # falco.yaml config # @@ -682,7 +709,7 @@ falco: # # -- Falco utilizes tbb::concurrent_bounded_queue for handling outputs, and this parameter # allows you to customize the queue capacity. Please refer to the official documentation: - # https://oneapi-src.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. + # https://uxlfoundation.github.io/oneTBB/main/tbb_userguide/Concurrent_Queue_Classes.html. # On a healthy system with optimized Falco rules, the queue should not fill up. # If it does, it is most likely happening due to the entire event flow being too slow, # indicating that the server is under heavy load. @@ -834,6 +861,15 @@ falco: # be added at a later stage, it is recommended to turn it off. json_include_tags_property: true + # [Incubating] `json_include_message_property` + # + # When using JSON output in Falco, you have the option to include the formatted + # rule output without timestamp or priority. For instance, if a rule specifies + # an "output" property like "Opened process %proc.name" the "message" field will + # only contain "Opened process bash" whereas the "output" field will contain more + # information. + json_include_message_property: false + # [Stable] `buffered_outputs` # # -- Enabling buffering for the output queue can offer performance optimization, @@ -841,30 +877,49 @@ falco: # output mechanism. By default, buffering is disabled (false). buffered_outputs: false - # [Stable] `outputs` - # - # -- A throttling mechanism, implemented as a token bucket, can be used to control - # the rate of Falco outputs. Each event source has its own rate limiter, - # ensuring that alerts from one source do not affect the throttling of others. - # The following options control the mechanism: - # - rate: the number of tokens (i.e. right to send a notification) gained per - # second. When 0, the throttling mechanism is disabled. Defaults to 0. - # - max_burst: the maximum number of tokens outstanding. Defaults to 1000. + # [Sandbox] `append_output` + # + # Add information to the Falco output. + # With this setting you can add more information to the Falco output message, customizable by + # rule, tag or source. + # You can also add additional data that will appear in the output_fields property + # of JSON formatted messages or gRPC output but will not be part of the regular output message. + # This allows you to add custom fields that can help you filter your Falco events without + # polluting the message text. + # + # Each append_output entry has an optional `match` map which specifies which rules will be + # affected. + # `match`: + # `rule`: append output only to a specific rule + # `source`: append output only to a specific source + # `tags`: append output only to rules that have all of the specified tags + # If none of the above are specified (or `match` is omitted) + # output is appended to all events. + # If more than one match condition is specified output will be appended to events + # that match all conditions. + # And several options to add output: + # `extra_output`: add output to the Falco message + # `extra_fields`: add new fields to the JSON output and structured output, which will not + # affect the regular Falco message in any way. These can be specified as a + # custom name with a custom format or as any supported field + # (see: https://falco.org/docs/reference/rules/supported-fields/) # - # For example, setting the rate to 1 allows Falco to send up to 1000 - # notifications initially, followed by 1 notification per second. The burst - # capacity is fully restored after 1000 seconds of no activity. + # Example: # - # Throttling can be useful in various scenarios, such as preventing notification - # floods, managing system load, controlling event processing, or complying with - # rate limits imposed by external systems or APIs. It allows for better resource - # utilization, avoids overwhelming downstream systems, and helps maintain a - # balanced and controlled flow of notifications. + # append_output: + # - match: + # source: syscall + # extra_output: "on CPU %evt.cpu" + # extra_fields: + # - home_directory: "${HOME}" + # - evt.hostname # - # With the default settings, the throttling mechanism is disabled. - outputs: - rate: 0 - max_burst: 1000 + # In the example above every event coming from the syscall source will get an extra message + # at the end telling the CPU number. In addition, if `json_output` is true, in the "output_fields" + # property you will find three new ones: "evt.cpu", "home_directory" which will contain the value of the + # environment variable $HOME, and "evt.hostname" which will contain the hostname. + append_output: [] + ########################## # Falco outputs channels # @@ -1323,6 +1378,9 @@ falco: # counters reflect monotonic values since Falco's start and are exported at a # constant stats interval. # + # `kernel_event_counters_per_cpu_enabled`: Detailed kernel event and drop counters + # per CPU. Typically used when debugging and not in production. + # # `libbpf_stats_enabled`: Exposes statistics similar to `bpftool prog show`, # providing information such as the number of invocations of each BPF program # attached by Falco and the time spent in each program measured in nanoseconds. @@ -1352,6 +1410,7 @@ falco: libbpf_stats_enabled: true convert_memory_to_mb: true include_empty_values: false + kernel_event_counters_per_cpu_enabled: false ####################################### diff --git a/helmfile.d/upstream/index.yaml b/helmfile.d/upstream/index.yaml index 3dba214fd..413573faf 100644 --- a/helmfile.d/upstream/index.yaml +++ b/helmfile.d/upstream/index.yaml @@ -41,7 +41,7 @@ charts: dexidp/dex: 0.18.0 - falcosecurity/falco: 4.8.2 + falcosecurity/falco: 4.17.0 falcosecurity/falco-exporter: 0.12.1 goharbor/harbor: 1.15.0