-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhelm.values.yml
executable file
·106 lines (100 loc) · 3.13 KB
/
helm.values.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# Attach the Falco process to a tty inside the container.
# Needed to flush Falco logs as soon as they are emitted.
# Set it to "true" when you need the Falco logs to be immediately displayed.
tty: true
falcosidekick:
# Activating FalcoSidekick means configuring the Falco HTTP output to the FalcoSideKick instance
enabled: true
config:
#
webhook:
address: http://falco-talon:2803
webui:
enabled: true
replicaCount: 1
# -- User in format <login>:<password>
user: "admin:admin"
ingress:
enabled: true
ingressClassName: nginx
hosts:
- host: falcosidekick-ui.127.0.0.1.nip.io
paths:
- path: /
customRules:
{}
services:
# The Kubernetes Audit Log is now supported via the built-in k8saudit plugin.
# It is entirely up to you to set up the webhook backend of the Kubernetes API server to forward the Audit Log event to the Falco listening port.
- name: k8saudit-webhook
type: NodePort
ports:
- port: 9765 # See plugin open_params
nodePort: 30007
protocol: TCP
falco:
json_output: true
# -- Redirect logs to standard output.
stdout_output:
enabled: true
# -- Plugins to install
load_plugins:
# Need config kube-apiserver to send Audit Logs to Falco Embedded WebServer
# Doc : https://sysdig.com/blog/kubernetes-audit-log-falco/
- k8saudit
- json
# -- Customize subsettings for each enabled plugin. These settings will only be
# applied when the corresponding plugin is enabled using the `load_plugins`
# option.
plugins:
- name: k8saudit
library_path: libk8saudit.so
init_config:
# maxEventSize: 262144
# webhookMaxBatchSize: 12582912
# sslCertificate: /etc/falco/falco.pem
open_params: "http://:9765/k8s-audit"
- name: cloudtrail
library_path: libcloudtrail.so
# see docs for init_config and open_params:
# https://github.com/falcosecurity/plugins/blob/master/plugins/cloudtrail/README.md
- name: json
library_path: libjson.so
init_config: ""
# -- Rules are loaded by the engine
rules_file:
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/falco_rules.yaml
- /etc/falco/falco_rules.local.yaml
# -- Rules defined in .customRules:
- /etc/falco/rules.d
# Falco supports an embedded webserver that runs within the Falco process,
# providing a lightweight and efficient way to expose web-based functionalities without the need for an external web server.
# It will be particularly important for the k8s_audit plugin, as it will expose the ":8765/k8s_audit" webhook via this webserver.
webserver:
enabled: true
listen_port: 8765
falcoctl:
artifact:
install:
enabled: true
follow:
enabled: true
config:
indexes:
- name: falcosecurity
url: https://falcosecurity.github.io/falcoctl/index.yaml
artifact:
install:
refs:
- falco-rules:3
- k8saudit-rules:0
- k8saudit:0
- json:0
follow:
every: 1h
refs:
- falco-rules:3
- k8saudit-rules:0
- k8saudit:0
- json:0