diff --git a/charts/falco/CHANGELOG.md b/charts/falco/CHANGELOG.md index 1a8a605d8..2f513295a 100644 --- a/charts/falco/CHANGELOG.md +++ b/charts/falco/CHANGELOG.md @@ -3,6 +3,33 @@ This file documents all notable changes to Falco Helm Chart. The release numbering uses [semantic versioning](http://semver.org). +## v4.8.3 + +* The init container, when driver.kind=auto, automatically generates + a new Falco configuration file and selects the appropriate engine + kind based on the environment where Falco is deployed. + + With this commit, along with falcoctl PR #630, the Helm charts now + support different driver kinds for Falco instances based on the + specific node they are running on. When driver.kind=auto is set, + each Falco instance dynamically selects the most suitable + driver (e.g., ebpf, kmod, modern_ebpf) for the node. + +-------------------------------------------------------+ + | Kubernetes Cluster | + | | + | +-------------------+ +-------------------+ | + | | Node 1 | | Node 2 | | + | | | | | | + | | Falco (ebpf) | | Falco (kmod) | | + | +-------------------+ +-------------------+ | + | | + | +-------------------+ | + | | Node 3 | | + | | | | + | | Falco (modern_ebpf)| | + | +-------------------+ | + +-------------------------------------------------------+ + ## v4.8.2 * fix(falco): correctly mount host filesystems when driver.kind is auto diff --git a/charts/falco/Chart.yaml b/charts/falco/Chart.yaml index 734ce0c46..319c3ab22 100644 --- a/charts/falco/Chart.yaml +++ b/charts/falco/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: falco -version: 4.8.2 +version: 4.8.3 appVersion: "0.38.2" description: Falco keywords: diff --git a/charts/falco/README.md b/charts/falco/README.md index 92d8c0136..b6be5baef 100644 --- a/charts/falco/README.md +++ b/charts/falco/README.md @@ -581,7 +581,7 @@ If you use a Proxy in your cluster, the requests between `Falco` and `Falcosidek ## Configuration -The following table lists the main configurable parameters of the falco chart v4.8.2 and their default values. See [values.yaml](./values.yaml) for full list. +The following table lists the main configurable parameters of the falco chart v4.8.3 and their default values. See [values.yaml](./values.yaml) for full list. ## Values diff --git a/charts/falco/templates/pod-template.tpl b/charts/falco/templates/pod-template.tpl index 1a098b3d0..d062336d8 100644 --- a/charts/falco/templates/pod-template.tpl +++ b/charts/falco/templates/pod-template.tpl @@ -128,6 +128,10 @@ spec: - mountPath: /usr/share/falco/plugins name: plugins-install-dir {{- end }} + {{- end }} + {{- if eq (include "driverLoader.enabled" .) "true" }} + - mountPath: /etc/falco/config.d + name: specialized-falco-configs {{- end }} - mountPath: /root/.falco name: root-falco-fs @@ -227,6 +231,10 @@ spec: {{- include "falcoctl.initContainer" . | nindent 4 }} {{- end }} volumes: + {{- if eq (include "driverLoader.enabled" .) "true" }} + - name: specialized-falco-configs + emptyDir: {} + {{- end }} {{- if or .Values.falcoctl.artifact.install.enabled .Values.falcoctl.artifact.follow.enabled }} - name: plugins-install-dir emptyDir: {} @@ -384,6 +392,8 @@ spec: - mountPath: /host/etc name: etc-fs readOnly: true + - mountPath: /etc/falco/config.d + name: specialized-falco-configs env: - name: HOST_ROOT value: /host @@ -395,6 +405,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: FALCOCTL_DRIVER_CONFIG_CONFIGMAP + value: {{ include "falco.fullname" . }} {{- else }} - name: FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO value: "false" diff --git a/charts/falco/tests/unit/driverLoader_test.go b/charts/falco/tests/unit/driverLoader_test.go index d61990413..6e4fe4273 100644 --- a/charts/falco/tests/unit/driverLoader_test.go +++ b/charts/falco/tests/unit/driverLoader_test.go @@ -36,6 +36,11 @@ var ( }, }} + configmapEnvVar = v1.EnvVar{ + Name: "FALCOCTL_DRIVER_CONFIG_CONFIGMAP", + Value: releaseName + "-falco", + } + updateConfigMapEnvVar = v1.EnvVar{ Name: "FALCOCTL_DRIVER_CONFIG_UPDATE_FALCO", Value: "false", @@ -64,7 +69,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "auto") require.True(t, *container.SecurityContext.Privileged) require.Contains(t, container.Env, namespaceEnvVar) + require.Contains(t, container.Env, configmapEnvVar) require.NotContains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -124,7 +133,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -139,7 +152,11 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Contains(t, container.Args, "kmod") require.True(t, *container.SecurityContext.Privileged) require.NotContains(t, container.Env, namespaceEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -155,6 +172,10 @@ func TestDriverLoaderEnabled(t *testing.T) { require.Nil(t, container.SecurityContext) require.NotContains(t, container.Env, namespaceEnvVar) require.Contains(t, container.Env, updateConfigMapEnvVar) + require.NotContains(t, container.Env, configmapEnvVar) + + // Check that the expected volumes are there. + volumeMounts(t, container.VolumeMounts) }, }, { @@ -190,3 +211,55 @@ func TestDriverLoaderEnabled(t *testing.T) { }) } } + +// volumenMounts checks that the expected volume mounts have been configured. +func volumeMounts(t *testing.T, volumeMounts []v1.VolumeMount) { + rootFalcoFS := v1.VolumeMount{ + Name: "root-falco-fs", + ReadOnly: false, + MountPath: "/root/.falco", + } + require.Contains(t, volumeMounts, rootFalcoFS) + + procFS := v1.VolumeMount{ + Name: "proc-fs", + ReadOnly: true, + MountPath: "/host/proc", + } + require.Contains(t, volumeMounts, procFS) + + bootFS := v1.VolumeMount{ + Name: "boot-fs", + ReadOnly: true, + MountPath: "/host/boot", + } + require.Contains(t, volumeMounts, bootFS) + + libModulesFS := v1.VolumeMount{ + Name: "lib-modules", + ReadOnly: false, + MountPath: "/host/lib/modules", + } + require.Contains(t, volumeMounts, libModulesFS) + + usrFS := v1.VolumeMount{ + Name: "usr-fs", + ReadOnly: true, + MountPath: "/host/usr", + } + require.Contains(t, volumeMounts, usrFS) + + etcFS := v1.VolumeMount{ + Name: "etc-fs", + ReadOnly: true, + MountPath: "/host/etc", + } + require.Contains(t, volumeMounts, etcFS) + + specializedFalcoConfigs := v1.VolumeMount{ + Name: "specialized-falco-configs", + ReadOnly: false, + MountPath: "/etc/falco/config.d", + } + require.Contains(t, volumeMounts, specializedFalcoConfigs) +} diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml index bd8f2a61a..837a5e091 100644 --- a/charts/falco/values.yaml +++ b/charts/falco/values.yaml @@ -471,7 +471,7 @@ falcoctl: # -- The image repository to pull from. repository: falcosecurity/falcoctl # -- The image tag to pull. - tag: "0.9.0" + tag: "0.10.0" artifact: # -- Runs "falcoctl artifact install" command as an init container. It is used to install artfacts before # Falco starts. It provides them to Falco by using an emptyDir volume.