Skip to content

Commit

Permalink
refactor(falco-talon): add rules from helm values
Browse files Browse the repository at this point in the history
According to falco rules, integrated rules in the helm values over yaml file.
This allow user to easily customize rules.

Signed-off-by: LeoFVO <[email protected]>
  • Loading branch information
leofvo committed Oct 15, 2024
1 parent dfb2b01 commit 500d1c2
Show file tree
Hide file tree
Showing 7 changed files with 43 additions and 36 deletions.
1 change: 1 addition & 0 deletions charts/falco-talon/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ numbering uses [semantic versioning](http://semver.org).
## 0.1.3 - 2024-10-15

- Support resources name and namespace overrides
- Fix issues to use custom rules

## 0.1.2 - 2024-10-14

Expand Down
2 changes: 1 addition & 1 deletion charts/falco-talon/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
appVersion: 0.1.1
description: React to the events from Falco
name: falco-talon
version: 0.1.2
version: 0.1.3
keywords:
- falco
- monitoring
Expand Down
4 changes: 2 additions & 2 deletions charts/falco-talon/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ helm delete falco-talon -n falco
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | affinity |
| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
| config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
| config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
| config.aws.externalId | string | `""` | external id |
Expand Down Expand Up @@ -111,8 +111,8 @@ helm delete falco-talon -n falco
| config.otel.metricsEnabled | bool | `false` | enable otel metrics |
| config.otel.tracesEnabled | bool | `false` | enable otel traces |
| config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
| config.watchRules | bool | `true` | auto reload the rules when the files change |
| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. |
| extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
| fullnameOverride | string | `""` | Same as nameOverride but for the fullname. |
| image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |
Expand Down
17 changes: 0 additions & 17 deletions charts/falco-talon/rules.yaml

This file was deleted.

6 changes: 0 additions & 6 deletions charts/falco-talon/rules_override.yaml

This file was deleted.

11 changes: 6 additions & 5 deletions charts/falco-talon/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.customRules }}
apiVersion: v1
kind: ConfigMap
metadata:
Expand All @@ -6,8 +7,8 @@ metadata:
labels:
{{- include "falco-talon.labels" . | nindent 4 }}
data:
rules.yaml: |-
{{- range $file := .Values.config.rulesFiles -}}
{{ $fileContent := $.Files.Get . }}
{{- $fileContent | nindent 4 -}}
{{- end -}}
{{- range $file, $content := .Values.customRules }}
{{ $file }}: |-
{{ $content | indent 4}}
{{- end }}
{{- end }}
38 changes: 33 additions & 5 deletions charts/falco-talon/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -145,11 +145,6 @@ config:
# -- auto reload the rules when the files change
watchRules: true

# -- list of locale rules to load, they will be concatenated into a single config map
rulesFiles:
- rules.yaml
- rules_override.yaml

# -- deduplication of the Falco events
deduplication:
# -- enable the leader election for cluster mode
Expand Down Expand Up @@ -285,3 +280,36 @@ serviceMonitor:
# caFile: /path/to/ca.crt
# certFile: /path/to/client.crt
# keyFile: /path/to/client.key

# -- Third party rules enabled for Falco-talon. More info on the dedicated section in README.md file.
customRules:
{}
# Although Falco comes with a nice default rule set for detecting weird
# behavior in containers, our users are going to customize the run-time
# security rule sets or policies for the specific container images and
# applications they run. This feature can be handled in this section.
#
# Example:
#
# rules.yaml: |-
# - action: Terminate Pod
# actionner: kubernetes:terminate
# parameters:
# ignore_daemonsets: true
# ignore_statefulsets: true
# grace_period_seconds: 2

# - action: Label Pod as Suspicious
# actionner: kubernetes:label
# parameters:
# labels:
# analysis/status: "suspicious"

# - rule: Terminal shell in container

Check failure on line 308 in charts/falco-talon/values.yaml

View workflow job for this annotation

GitHub Actions / test

308:42 [trailing-spaces] trailing spaces
# match:
# rules:
# - Terminal shell in container
# output_fields:
# - k8s.ns.name!=kube-system, k8s.ns.name!=falco
# actions:
# - action: Label Pod as Suspicious

0 comments on commit 500d1c2

Please sign in to comment.