falcosecurity · leofvo · Oct 15, 2024 · Oct 15, 2024
diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md
@@ -3,6 +3,11 @@
 This file documents all notable changes to Falco Talon Helm Chart. The release
 numbering uses [semantic versioning](http://semver.org).
 
+## 0.1.3 - 2024-10-15
+
+- Support resources name and namespace overrides
+- Fix issues to use custom rules
+
 ## 0.1.2 - 2024-10-14
 
 - remove all refs to the previous org

diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 0.1.1
 description: React to the events from Falco
 name: falco-talon
-version: 0.1.2
+version: 0.1.3
 keywords:
   - falco
   - monitoring

diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md
@@ -58,7 +58,7 @@ helm delete falco-talon -n falco
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
+| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
 | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
 | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
 | config.aws.externalId | string | `""` | external id |
@@ -111,9 +111,10 @@ helm delete falco-talon -n falco
 | config.otel.metricsEnabled | bool | `false` | enable otel metrics |
 | config.otel.tracesEnabled | bool | `false` | enable otel traces |
 | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
-| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
+| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
+| fullnameOverride | string | `""` | Same as nameOverride but for the fullname. |
 | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
 | image.pullPolicy | string | `"Always"` | The image pull policy |
 | image.registry | string | `"falco.docker.scarf.sh"` | The image registry to pull from |
@@ -125,7 +126,8 @@ helm delete falco-talon -n falco
 | ingress.enabled | bool | `false` | enable the ingress |
 | ingress.hosts | list | `[{"host":"falco-talon.local","paths":[{"path":"/"}]}]` | hosts |
 | ingress.tls | list | `[]` | tls |
-| nameOverride | string | `""` | override name |
+| nameOverride | string | `""` | Put here the new name if you want to override the release name used for Falco-talon components. |
+| namespaceOverride | string | `""` | Override the deployment namespace |
 | nodeSelector | object | `{}` | node selector |
 | podAnnotations | object | `{}` | pod annotations |
 | podSecurityContext | object | `{"fsGroup":1234,"runAsUser":1234}` | pod security context |

diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml
diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml
diff --git a/charts/falco-talon/templates/_helpers.tpl b/charts/falco-talon/templates/_helpers.tpl
@@ -6,13 +6,38 @@ Expand the name of the chart.
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "falco-talon.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "falco-talon.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Allow the release namespace to be overridden
+*/}}
+{{- define "falco-talon.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride -}}
+{{- end -}}
+
 {{/*
 Return the appropriate apiVersion for ingress.
 */}}

diff --git a/charts/falco-talon/templates/clusterrole.yaml b/charts/falco-talon/templates/clusterrole.yaml
@@ -3,7 +3,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ template "falco-talon.name" .}}
+  name: {{ template "falco-talon.fullname" .}}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 rules:
@@ -12,7 +12,7 @@ rules:
     resources:
       - podsecuritypolicies
     resourceNames:
-      - {{ template "falco-talon.name" . }}
+      - {{ template "falco-talon.fullname" . }}
     verbs:
       - use
 {{- end }}
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
@@ -1,12 +1,14 @@
+{{- if .Values.customRules }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "falco-talon.name" . }}-rules
+  name: {{ include "falco-talon.fullname" . }}-rules
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
-  rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get . }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+{{- range $file, $content :=  .Values.customRules }}
+  {{ $file }}: |-
+{{ $content | indent 4}}
+{{- end }}
+{{- end }}
diff --git a/charts/falco-talon/templates/deployment.yaml b/charts/falco-talon/templates/deployment.yaml
@@ -2,15 +2,15 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 spec:
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
-      app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+      app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
       app.kubernetes.io/instance: {{ .Release.Name }}
   template:
     metadata:
@@ -22,7 +22,7 @@ spec:
       annotations:
         timestamp: {{ now }}
     spec:
-      serviceAccountName: {{ include "falco-talon.name" . }}
+      serviceAccountName: {{ include "falco-talon.fullname" . }}
       {{- if .Values.priorityClassName }}
       priorityClassName: "{{ .Values.priorityClassName }}"
       {{- end }}
@@ -88,7 +88,7 @@ spec:
       volumes:
         - name: "rules"
           configMap:
-            name: "{{ include "falco-talon.name" . }}-rules"
+            name: "{{ include "falco-talon.fullname" . }}-rules"
         - name: "config"
           secret:
-            secretName: "{{ include "falco-talon.name" . }}-config"
+            secretName: "{{ include "falco-talon.fullname" . }}-config"
diff --git a/charts/falco-talon/templates/ingress.yaml b/charts/falco-talon/templates/ingress.yaml
@@ -1,13 +1,13 @@
 {{- if .Values.ingress.enabled -}}
-{{- $name := include "falco-talon.name" . -}}
+{{- $name := include "falco-talon.fullname" . -}}
 {{- $ingressApiIsStable := eq (include "falco-talon.ingress.isStable" .) "true" -}}
 {{- $ingressSupportsPathType := eq (include "falco-talon.ingress.supportsPathType" .) "true" -}}
 ---
 apiVersion: {{ include "falco-talon.ingress.apiVersion" . }}
 kind: Ingress
 metadata:
   name: {{ $name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
     {{- with .Values.ingress.annotations }}

diff --git a/charts/falco-talon/templates/podsecuritypolicy.yaml b/charts/falco-talon/templates/podsecuritypolicy.yaml
@@ -2,7 +2,7 @@
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
-  name: {{ template "falco-talon.name" . }}
+  name: {{ template "falco-talon.fullname" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 spec:

diff --git a/charts/falco-talon/templates/rbac.yaml b/charts/falco-talon/templates/rbac.yaml
@@ -2,18 +2,18 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+    app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
     helm.sh/chart: {{ include "falco-talon.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
@@ -184,26 +184,26 @@ rules:
   resources:
     - podsecuritypolicies
   resourceNames:
-    - {{ template "falco-talon.name" . }}
+    - {{ template "falco-talon.fullname" . }}
   verbs:
     - use
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
-    app.kubernetes.io/name: {{ include "falco-talon.name" . }}
+    app.kubernetes.io/name: {{ include "falco-talon.fullname" . }}
     helm.sh/chart: {{ include "falco-talon.chart" . }}
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "falco-talon.name" . }}
+  name: {{ include "falco-talon.fullname" . }}
   namespace: {{ .Release.Namespace }}
diff --git a/charts/falco-talon/templates/secrets.yaml b/charts/falco-talon/templates/secrets.yaml
@@ -1,7 +1,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "falco-talon.name" . }}-config
+  name: {{ include "falco-talon.fullname" . }}-config
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 stringData:

diff --git a/charts/falco-talon/templates/servicemonitor.yaml b/charts/falco-talon/templates/servicemonitor.yaml
@@ -8,8 +8,8 @@ metadata:
     {{- with .Values.serviceMonitor.additionalLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
 spec:
   endpoints:
     - port: {{ .Values.serviceMonitor.port }}

diff --git a/charts/falco-talon/templates/services.yaml b/charts/falco-talon/templates/services.yaml
@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "falco-talon.name" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ include "falco-talon.fullname" . }}
+  namespace: {{ include "falco-talon.namespace" . }}
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
   {{- with .Values.service.annotations }}

diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
@@ -32,8 +32,12 @@ podSecurityContext:
 imagePullSecrets: []
 # - registrySecretName
 
-# -- override name
+# -- Put here the new name if you want to override the release name used for Falco-talon components.
 nameOverride: ""
+# -- Same as nameOverride but for the fullname.
+fullnameOverride: ""
+# -- Override the deployment namespace
+namespaceOverride: ""
 
 # -- extra env
 extraEnv:
@@ -141,11 +145,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -281,3 +280,36 @@ serviceMonitor:
     # caFile: /path/to/ca.crt
     # certFile: /path/to/client.crt
     # keyFile: /path/to/client.key
+
+# -- Third party rules enabled for Falco-talon. More info on the dedicated section in README.md file.
+customRules:
+  {}
+  # Although Falco comes with a nice default rule set for detecting weird
+  # behavior in containers, our users are going to customize the run-time
+  # security rule sets or policies for the specific container images and
+  # applications they run. This feature can be handled in this section.
+  #
+  # Example:
+  #
+  # rules.yaml: |-
+  #   - action: Terminate Pod
+  #     actionner: kubernetes:terminate
+  #     parameters:
+  #       ignore_daemonsets: true
+  #       ignore_statefulsets: true
+  #       grace_period_seconds: 2
+
+  #   - action: Label Pod as Suspicious
+  #     actionner: kubernetes:label
+  #     parameters:
+  #       labels:
+  #         analysis/status: "suspicious"
+
+  #   - rule: Terminal shell in container
+  #     match:
+  #       rules:
+  #         - Terminal shell in container
+  #       output_fields:
+  #         - k8s.ns.name!=kube-system, k8s.ns.name!=falco
+  #     actions:
+  #       - action: Label Pod as Suspicious