refactor(falco-talon): add rules from helm values

According to falco rules, integrated rules in the helm values over yaml file. This allow user to easily customize rules. Signed-off-by: LeoFVO <[email protected]>
falcosecurity · Oct 15, 2024 · 1029ece · 1029ece
1 parent 163e903
commit 1029ece
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 33 deletions.
diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml
diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.customRules }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,8 +7,8 @@ metadata:
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
-  rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get . }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+{{- range $file, $content :=  .Values.customRules }}
+  {{ $file }}: |-
+{{ $content | indent 4}}
+{{- end }}
+{{- end }}
diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
@@ -145,11 +145,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -285,3 +280,36 @@ serviceMonitor:
     # caFile: /path/to/ca.crt
     # certFile: /path/to/client.crt
     # keyFile: /path/to/client.key
+
+# -- Third party rules enabled for Falco. More info on the dedicated section in README.md file.
+customRules:
+  {}
+  # Although Falco comes with a nice default rule set for detecting weird
+  # behavior in containers, our users are going to customize the run-time
+  # security rule sets or policies for the specific container images and
+  # applications they run. This feature can be handled in this section.
+  #
+  # Example:
+  #
+  # rules.yaml: |-
+  #   - action: Terminate Pod
+  #     actionner: kubernetes:terminate
+  #     parameters:
+  #       ignore_daemonsets: true
+  #       ignore_statefulsets: true
+  #       grace_period_seconds: 2
+
+  #   - action: Label Pod as Suspicious
+  #     actionner: kubernetes:label
+  #     parameters:
+  #       labels:
+  #         analysis/status: "suspicious"
+
+  #   - rule: Terminal shell in container 
+  #     match:
+  #       rules:
+  #         - Terminal shell in container
+  #       output_fields:
+  #         - k8s.ns.name!=kube-system, k8s.ns.name!=falco
+  #     actions:
+  #       - action: Label Pod as Suspicious