diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md index 263883265..6bcc73efe 100644 --- a/charts/falco-talon/CHANGELOG.md +++ b/charts/falco-talon/CHANGELOG.md @@ -6,6 +6,7 @@ numbering uses [semantic versioning](http://semver.org). ## 0.1.3 - 2024-10-15 - Support resources name and namespace overrides +- Fix issues to use custom rules ## 0.1.2 - 2024-10-14 diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml index c08e87d20..c6871d480 100644 --- a/charts/falco-talon/Chart.yaml +++ b/charts/falco-talon/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v1 appVersion: 0.1.1 description: React to the events from Falco name: falco-talon -version: 0.1.2 +version: 0.1.3 keywords: - falco - monitoring diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md index 1b15acd97..2f5002c93 100644 --- a/charts/falco-talon/README.md +++ b/charts/falco-talon/README.md @@ -58,7 +58,7 @@ helm delete falco-talon -n falco | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | affinity | -| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | +| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) | | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws | | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) | | config.aws.externalId | string | `""` | external id | @@ -111,8 +111,8 @@ helm delete falco-talon -n falco | config.otel.metricsEnabled | bool | `false` | enable otel metrics | | config.otel.tracesEnabled | bool | `false` | enable otel traces | | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule | -| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map | | config.watchRules | bool | `true` | auto reload the rules when the files change | +| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. | | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env | | fullnameOverride | string | `""` | Same as nameOverride but for the fullname. | | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters | diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml deleted file mode 100644 index dbc9f315c..000000000 --- a/charts/falco-talon/rules.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- action: Terminate Pod - actionner: kubernetes:terminate - -- action: Label Pod as Suspicious - actionner: kubernetes:label - parameters: - labels: - analysis/status: "suspicious" - -- rule: Terminal shell in container - match: - rules: - - Terminal shell in container - output_fields: - - k8s.ns.name!=kube-system, k8s.ns.name!=falco - actions: - - action: Label Pod as Suspicious diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml deleted file mode 100644 index a75af42c4..000000000 --- a/charts/falco-talon/rules_override.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- action: Terminate Pod - actionner: kubernetes:terminate - parameters: - ignore_daemonsets: true - ignore_statefulsets: true - grace_period_seconds: 2 \ No newline at end of file diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml index 53b8da1e3..82b5cb234 100644 --- a/charts/falco-talon/templates/configmap.yaml +++ b/charts/falco-talon/templates/configmap.yaml @@ -1,3 +1,4 @@ +{{- if .Values.customRules }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,8 +7,8 @@ metadata: labels: {{- include "falco-talon.labels" . | nindent 4 }} data: - rules.yaml: |- -{{- range $file := .Values.config.rulesFiles -}} -{{ $fileContent := $.Files.Get . }} -{{- $fileContent | nindent 4 -}} -{{- end -}} +{{- range $file, $content := .Values.customRules }} + {{ $file }}: |- +{{ $content | indent 4}} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml index 48975c286..a165f88c9 100644 --- a/charts/falco-talon/values.yaml +++ b/charts/falco-talon/values.yaml @@ -145,11 +145,6 @@ config: # -- auto reload the rules when the files change watchRules: true - # -- list of locale rules to load, they will be concatenated into a single config map - rulesFiles: - - rules.yaml - - rules_override.yaml - # -- deduplication of the Falco events deduplication: # -- enable the leader election for cluster mode @@ -285,3 +280,36 @@ serviceMonitor: # caFile: /path/to/ca.crt # certFile: /path/to/client.crt # keyFile: /path/to/client.key + +# -- Third party rules enabled for Falco-talon. More info on the dedicated section in README.md file. +customRules: + {} + # Although Falco comes with a nice default rule set for detecting weird + # behavior in containers, our users are going to customize the run-time + # security rule sets or policies for the specific container images and + # applications they run. This feature can be handled in this section. + # + # Example: + # + # rules.yaml: |- + # - action: Terminate Pod + # actionner: kubernetes:terminate + # parameters: + # ignore_daemonsets: true + # ignore_statefulsets: true + # grace_period_seconds: 2 + + # - action: Label Pod as Suspicious + # actionner: kubernetes:label + # parameters: + # labels: + # analysis/status: "suspicious" + + # - rule: Terminal shell in container + # match: + # rules: + # - Terminal shell in container + # output_fields: + # - k8s.ns.name!=kube-system, k8s.ns.name!=falco + # actions: + # - action: Label Pod as Suspicious