From dfb2b01cc993065acd4466c95e8bdc0d95bdb64b Mon Sep 17 00:00:00 2001
From: LeoFVO <leofvo@proton.me>
Date: Tue, 15 Oct 2024 22:12:59 +0200
Subject: [PATCH 1/2] refactor(falco-talon): allow namespace overwrite and
 prefer use fullname for resources naming

Uniformized the chart resources name and overwrite according to falco codebase

Signed-off-by: LeoFVO <leofvo@proton.me>
---
 charts/falco-talon/CHANGELOG.md               |  4 +++
 charts/falco-talon/README.md                  |  4 ++-
 charts/falco-talon/templates/_helpers.tpl     | 25 +++++++++++++++++++
 charts/falco-talon/templates/clusterrole.yaml |  4 +--
 charts/falco-talon/templates/configmap.yaml   |  3 ++-
 charts/falco-talon/templates/deployment.yaml  | 10 ++++----
 charts/falco-talon/templates/ingress.yaml     |  4 +--
 .../templates/podsecuritypolicy.yaml          |  2 +-
 charts/falco-talon/templates/rbac.yaml        | 22 ++++++++--------
 charts/falco-talon/templates/secrets.yaml     |  3 ++-
 .../falco-talon/templates/servicemonitor.yaml |  4 +--
 charts/falco-talon/templates/services.yaml    |  4 +--
 charts/falco-talon/values.yaml                |  6 ++++-
 13 files changed, 66 insertions(+), 29 deletions(-)

diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md
index 28cfa7b0b..263883265 100644
--- a/charts/falco-talon/CHANGELOG.md
+++ b/charts/falco-talon/CHANGELOG.md
@@ -3,6 +3,10 @@
 This file documents all notable changes to Falco Talon Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## 0.1.3 - 2024-10-15
+
+- Support resources name and namespace overrides
+
 ## 0.1.2 - 2024-10-14
 
 - remove all refs to the previous org
diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md
index 01350e7a9..1b15acd97 100644
--- a/charts/falco-talon/README.md
+++ b/charts/falco-talon/README.md
@@ -114,6 +114,7 @@ helm delete falco-talon -n falco
 | config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
+| fullnameOverride | string | `""` | Same as nameOverride but for the fullname. |
 | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
 | image.pullPolicy | string | `"Always"` | The image pull policy |
 | image.registry | string | `"falco.docker.scarf.sh"` | The image registry to pull from |
@@ -125,7 +126,8 @@ helm delete falco-talon -n falco
 | ingress.enabled | bool | `false` | enable the ingress |
 | ingress.hosts | list | `[{"host":"falco-talon.local","paths":[{"path":"/"}]}]` | hosts |
 | ingress.tls | list | `[]` | tls |
-| nameOverride | string | `""` | override name |
+| nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco-talon components. |
+| namespaceOverride | string | `""` | Override the deployment namespace |
 | nodeSelector | object | `{}` | node selector |
 | podAnnotations | object | `{}` | pod annotations |
 | podSecurityContext | object | `{"fsGroup":1234,"runAsUser":1234}` | pod security context |
diff --git a/charts/falco-talon/templates/_helpers.tpl b/charts/falco-talon/templates/_helpers.tpl
index 70e9bb80e..9fa98dda9 100644
--- a/charts/falco-talon/templates/_helpers.tpl
+++ b/charts/falco-talon/templates/_helpers.tpl
@@ -6,6 +6,24 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "falco-talon.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
@@ -13,6 +31,13 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden
+*/}}
+{{- define "falco-talon.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for ingress.
 */}}
diff --git a/charts/falco-talon/templates/clusterrole.yaml b/charts/falco-talon/templates/clusterrole.yaml
index 9f940774a..4e23aca74 100644
--- a/charts/falco-talon/templates/clusterrole.yaml
+++ b/charts/falco-talon/templates/clusterrole.yaml
@@ -3,7 +3,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "falco-talon.name" .}}
+  name: {{ template "falco-talon.fullname" .}}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 rules:
@@ -12,7 +12,7 @@ rules:
     resources:
       - podsecuritypolicies
     resourceNames:
-      - {{ template "falco-talon.name" . }}
+      - {{ template "falco-talon.fullname" . }}
     verbs:
       - use
 {{- end }}
\ No newline at end of file
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
index fcb0998ef..53b8da1e3 100644
--- a/charts/falco-talon/templates/configmap.yaml
+++ b/charts/falco-talon/templates/configmap.yaml
@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "falco-talon.name" . }}-rules
+  name: {{ include "falco-talon.fullname" . }}-rules
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
diff --git a/charts/falco-talon/templates/deployment.yaml b/charts/falco-talon/templates/deployment.yaml
index f4ac78912..c1172ed65 100644
--- a/charts/falco-talon/templates/deployment.yaml
+++ b/charts/falco-talon/templates/deployment.yaml
@@ -2,7 +2,7 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
@@ -10,7 +10,7 @@ spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+      app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
@@ -22,7 +22,7 @@ spec:
       annotations:
         timestamp: {{ now }}
     spec:
-      serviceAccountName: {{ include "falco-talon.name" . }}
+      serviceAccountName: {{ include "falco-talon.fullname" . }}
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{ .Values.priorityClassName }}"
       {{- end }}
@@ -88,7 +88,7 @@ spec:
       volumes:
         - name: "rules"
           configMap:
-            name: "{{ include "falco-talon.name" . }}-rules"
+            name: "{{ include "falco-talon.fullname" . }}-rules"
         - name: "config"
           secret:
-            secretName: "{{ include "falco-talon.name" . }}-config"
\ No newline at end of file
+            secretName: "{{ include "falco-talon.fullname" . }}-config"
\ No newline at end of file
diff --git a/charts/falco-talon/templates/ingress.yaml b/charts/falco-talon/templates/ingress.yaml
index 7c158e675..70315f5b8 100644
--- a/charts/falco-talon/templates/ingress.yaml
+++ b/charts/falco-talon/templates/ingress.yaml
@@ -1,5 +1,5 @@
 {{- if .Values.ingress.enabled -}}
-{{- $name := include "falco-talon.name" . -}}
+{{- $name := include "falco-talon.fullname" . -}}
 {{- $ingressApiIsStable := eq (include "falco-talon.ingress.isStable" .) "true" -}}
 {{- $ingressSupportsPathType := eq (include "falco-talon.ingress.supportsPathType" .) "true" -}}
 ---
@@ -7,7 +7,7 @@ apiVersion: {{ include "falco-talon.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ $name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
     {{- with .Values.ingress.annotations }}
diff --git a/charts/falco-talon/templates/podsecuritypolicy.yaml b/charts/falco-talon/templates/podsecuritypolicy.yaml
index 840a7e279..f079ea6c6 100644
--- a/charts/falco-talon/templates/podsecuritypolicy.yaml
+++ b/charts/falco-talon/templates/podsecuritypolicy.yaml
@@ -2,7 +2,7 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "falco-talon.name" . }}
+  name: {{ template "falco-talon.fullname" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 spec:
diff --git a/charts/falco-talon/templates/rbac.yaml b/charts/falco-talon/templates/rbac.yaml
index 50080a124..114276e04 100644
--- a/charts/falco-talon/templates/rbac.yaml
+++ b/charts/falco-talon/templates/rbac.yaml
@@ -2,18 +2,18 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+    app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
     helm.sh/chart: {{ include "falco-talon.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
@@ -184,7 +184,7 @@ rules:
   resources:
     - podsecuritypolicies
   resourceNames:
-    - {{ template "falco-talon.name" . }}
+    - {{ template "falco-talon.fullname" . }}
   verbs:
     - use
 {{- end }}
@@ -192,18 +192,18 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+    app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
     helm.sh/chart: {{ include "falco-talon.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
   namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/charts/falco-talon/templates/secrets.yaml b/charts/falco-talon/templates/secrets.yaml
index cd51d147a..811fc4a8f 100644
--- a/charts/falco-talon/templates/secrets.yaml
+++ b/charts/falco-talon/templates/secrets.yaml
@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "falco-talon.name" . }}-config
+  name: {{ include "falco-talon.fullname" . }}-config
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 stringData:
diff --git a/charts/falco-talon/templates/servicemonitor.yaml b/charts/falco-talon/templates/servicemonitor.yaml
index 8a46726eb..582d59fc4 100644
--- a/charts/falco-talon/templates/servicemonitor.yaml
+++ b/charts/falco-talon/templates/servicemonitor.yaml
@@ -8,8 +8,8 @@ metadata:
     {{- with .Values.serviceMonitor.additionalLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
 spec:
   endpoints:
     - port: {{ .Values.serviceMonitor.port }}
diff --git a/charts/falco-talon/templates/services.yaml b/charts/falco-talon/templates/services.yaml
index 14d4ce5f7..1b4fc5ce2 100644
--- a/charts/falco-talon/templates/services.yaml
+++ b/charts/falco-talon/templates/services.yaml
@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
   {{- with .Values.service.annotations }}
diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
index 380cba120..48975c286 100644
--- a/charts/falco-talon/values.yaml
+++ b/charts/falco-talon/values.yaml
@@ -32,8 +32,12 @@ podSecurityContext:
 imagePullSecrets: []
 # - registrySecretName
 
-# -- override name
+# -- Put here the new name if you want to override the release name used for Falco-talon components.
 nameOverride: ""
+# -- Same as nameOverride but for the fullname.
+fullnameOverride: ""
+# -- Override the deployment namespace
+namespaceOverride: ""
 
 # -- extra env
 extraEnv:

From e38c6193acea302cee70d82ac58c8e95f87f81ed Mon Sep 17 00:00:00 2001
From: LeoFVO <leofvo@proton.me>
Date: Tue, 15 Oct 2024 22:18:47 +0200
Subject: [PATCH 2/2] refactor(falco-talon): add rules from helm values

According to falco rules, integrated rules in the helm values over yaml file.
This allow user to easily customize rules.

Signed-off-by: LeoFVO <leofvo@proton.me>
---
 charts/falco-talon/CHANGELOG.md             |  1 +
 charts/falco-talon/Chart.yaml               |  2 +-
 charts/falco-talon/README.md                |  4 +--
 charts/falco-talon/rules.yaml               | 17 ---------
 charts/falco-talon/rules_override.yaml      |  6 ----
 charts/falco-talon/templates/configmap.yaml | 11 +++---
 charts/falco-talon/values.yaml              | 38 ++++++++++++++++++---
 7 files changed, 43 insertions(+), 36 deletions(-)
 delete mode 100644 charts/falco-talon/rules.yaml
 delete mode 100644 charts/falco-talon/rules_override.yaml

diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md
index 263883265..6bcc73efe 100644
--- a/charts/falco-talon/CHANGELOG.md
+++ b/charts/falco-talon/CHANGELOG.md
@@ -6,6 +6,7 @@ numbering uses [semantic versioning](http://semver.org).
 ## 0.1.3 - 2024-10-15
 
 - Support resources name and namespace overrides
+- Fix issues to use custom rules
 
 ## 0.1.2 - 2024-10-14
 
diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml
index c08e87d20..c6871d480 100644
--- a/charts/falco-talon/Chart.yaml
+++ b/charts/falco-talon/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 0.1.1
 description: React to the events from Falco
 name: falco-talon
-version: 0.1.2
+version: 0.1.3
 keywords:
   - falco
   - monitoring
diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md
index 1b15acd97..2f5002c93 100644
--- a/charts/falco-talon/README.md
+++ b/charts/falco-talon/README.md
@@ -58,7 +58,7 @@ helm delete falco-talon -n falco
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
+| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
 | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
 | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
 | config.aws.externalId | string | `""` | external id |
@@ -111,8 +111,8 @@ helm delete falco-talon -n falco
 | config.otel.metricsEnabled | bool | `false` | enable otel metrics |
 | config.otel.tracesEnabled | bool | `false` | enable otel traces |
 | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
-| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
+| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
 | fullnameOverride | string | `""` | Same as nameOverride but for the fullname. |
 | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml
deleted file mode 100644
index dbc9f315c..000000000
--- a/charts/falco-talon/rules.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-- action: Terminate Pod
-  actionner: kubernetes:terminate
-
-- action: Label Pod as Suspicious
-  actionner: kubernetes:label
-  parameters:
-    labels:
-      analysis/status: "suspicious"
-
-- rule: Terminal shell in container 
-  match:
-    rules:
-      - Terminal shell in container
-    output_fields:
-      - k8s.ns.name!=kube-system, k8s.ns.name!=falco
-  actions:
-    - action: Label Pod as Suspicious
diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml
deleted file mode 100644
index a75af42c4..000000000
--- a/charts/falco-talon/rules_override.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-- action: Terminate Pod
-  actionner: kubernetes:terminate
-  parameters:
-    ignore_daemonsets: true
-    ignore_statefulsets: true
-    grace_period_seconds: 2
\ No newline at end of file
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
index 53b8da1e3..82b5cb234 100644
--- a/charts/falco-talon/templates/configmap.yaml
+++ b/charts/falco-talon/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.customRules }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,8 +7,8 @@ metadata:
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
-  rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get . }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+{{- range $file, $content :=  .Values.customRules }}
+  {{ $file }}: |-
+{{ $content | indent 4}}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
index 48975c286..e0697a5a7 100644
--- a/charts/falco-talon/values.yaml
+++ b/charts/falco-talon/values.yaml
@@ -145,11 +145,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -285,3 +280,36 @@ serviceMonitor:
     # caFile: /path/to/ca.crt
     # certFile: /path/to/client.crt
     # keyFile: /path/to/client.key
+
+# -- Third party rules enabled for Falco-talon. More info on the dedicated section in README.md file.
+customRules:
+  {}
+  # Although Falco comes with a nice default rule set for detecting weird
+  # behavior in containers, our users are going to customize the run-time
+  # security rule sets or policies for the specific container images and
+  # applications they run. This feature can be handled in this section.
+  #
+  # Example:
+  #
+  # rules.yaml: |-
+  #   - action: Terminate Pod
+  #     actionner: kubernetes:terminate
+  #     parameters:
+  #       ignore_daemonsets: true
+  #       ignore_statefulsets: true
+  #       grace_period_seconds: 2
+
+  #   - action: Label Pod as Suspicious
+  #     actionner: kubernetes:label
+  #     parameters:
+  #       labels:
+  #         analysis/status: "suspicious"
+
+  #   - rule: Terminal shell in container
+  #     match:
+  #       rules:
+  #         - Terminal shell in container
+  #       output_fields:
+  #         - k8s.ns.name!=kube-system, k8s.ns.name!=falco
+  #     actions:
+  #       - action: Label Pod as Suspicious