refactor(falco-talon): add rules from helm values

According to falco rules, integrated rules in the helm values over yaml file. This allow user to easily customize rules. Signed-off-by: LeoFVO <[email protected]>
falcosecurity · Oct 16, 2024 · e38c619 · e38c619
1 parent dfb2b01
commit e38c619
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 36 deletions.
diff --git a/charts/falco-talon/CHANGELOG.md b/charts/falco-talon/CHANGELOG.md
@@ -6,6 +6,7 @@ numbering uses [semantic versioning](http://semver.org).
 ## 0.1.3 - 2024-10-15
 
 - Support resources name and namespace overrides
+- Fix issues to use custom rules
 
 ## 0.1.2 - 2024-10-14
 

diff --git a/charts/falco-talon/Chart.yaml b/charts/falco-talon/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: 0.1.1
 description: React to the events from Falco
 name: falco-talon
-version: 0.1.2
+version: 0.1.3
 keywords:
   - falco
   - monitoring

diff --git a/charts/falco-talon/README.md b/charts/falco-talon/README.md
@@ -58,7 +58,7 @@ helm delete falco-talon -n falco
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` | affinity |
-| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"rulesFiles":["rules.yaml","rules_override.yaml"],"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
+| config | object | `{"aws":{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""},"deduplication":{"leaderElection":true,"timeWindowSeconds":5},"defaultNotifiers":["k8sevents"],"listenAddress":"0.0.0.0","listenPort":2803,"minio":{"accessKey":"","endpoint":"","secretKey":"","useSsl":false},"notifiers":{"elasticsearch":{"createIndexTemplate":true,"numberOfReplicas":1,"numberOfShards":1,"url":""},"loki":{"apiKey":"","customHeaders":[],"hostPort":"","tenant":"","user":""},"slack":{"footer":"https://github.com/falcosecurity/falco-talon","format":"long","icon":"https://upload.wikimedia.org/wikipedia/commons/2/26/Circaetus_gallicus_claw.jpg","username":"Falco Talon","webhookUrl":""},"smtp":{"format":"html","from":"","hostPort":"","password":"","tls":false,"to":"","user":""},"webhook":{"url":""}},"otel":{"collectorEndpoint":"","collectorPort":4317,"collectorUseInsecureGrpc":false,"metricsEnabled":false,"tracesEnabled":false},"printAllEvents":false,"watchRules":true}` | config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/) |
 | config.aws | object | `{"accesKey":"","externalId":"","region":"","roleArn":"","secretKey":""}` | aws |
 | config.aws.accesKey | string | `""` | access key (if not specified, default access_key from provider credential chain will be used) |
 | config.aws.externalId | string | `""` | external id |
@@ -111,8 +111,8 @@ helm delete falco-talon -n falco
 | config.otel.metricsEnabled | bool | `false` | enable otel metrics |
 | config.otel.tracesEnabled | bool | `false` | enable otel traces |
 | config.printAllEvents | bool | `false` | print in stdout all received events, not only those which match a rule |
-| config.rulesFiles | list | `["rules.yaml","rules_override.yaml"]` | list of locale rules to load, they will be concatenated into a single config map |
 | config.watchRules | bool | `true` | auto reload the rules when the files change |
+| customRules | object | `{}` | Third party rules enabled for Falco. More info on the dedicated section in README.md file. |
 | extraEnv | list | `[{"name":"LOG_LEVEL","value":"warning"}]` | extra env |
 | fullnameOverride | string | `""` | Same as nameOverride but for the fullname. |
 | image | object | `{"pullPolicy":"Always","registry":"falco.docker.scarf.sh","repository":"issif/falco-talon","tag":""}` | image parameters |

diff --git a/charts/falco-talon/rules.yaml b/charts/falco-talon/rules.yaml
diff --git a/charts/falco-talon/rules_override.yaml b/charts/falco-talon/rules_override.yaml
diff --git a/charts/falco-talon/templates/configmap.yaml b/charts/falco-talon/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.customRules }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -6,8 +7,8 @@ metadata:
   labels:
     {{- include "falco-talon.labels" . | nindent 4 }}
 data:
-  rules.yaml: |-
-{{- range $file := .Values.config.rulesFiles -}}
-{{ $fileContent := $.Files.Get . }}
-{{- $fileContent | nindent 4 -}}
-{{- end -}}
+{{- range $file, $content :=  .Values.customRules }}
+  {{ $file }}: |-
+{{ $content | indent 4}}
+{{- end }}
+{{- end }}
diff --git a/charts/falco-talon/values.yaml b/charts/falco-talon/values.yaml
@@ -145,11 +145,6 @@ config:
   # -- auto reload the rules when the files change
   watchRules: true
 
-  # -- list of locale rules to load, they will be concatenated into a single config map
-  rulesFiles:
-    - rules.yaml
-    - rules_override.yaml
-
   # -- deduplication of the Falco events
   deduplication:
     # -- enable the leader election for cluster mode
@@ -285,3 +280,36 @@ serviceMonitor:
     # caFile: /path/to/ca.crt
     # certFile: /path/to/client.crt
     # keyFile: /path/to/client.key
+
+# -- Third party rules enabled for Falco-talon. More info on the dedicated section in README.md file.
+customRules:
+  {}
+  # Although Falco comes with a nice default rule set for detecting weird
+  # behavior in containers, our users are going to customize the run-time
+  # security rule sets or policies for the specific container images and
+  # applications they run. This feature can be handled in this section.
+  #
+  # Example:
+  #
+  # rules.yaml: |-
+  #   - action: Terminate Pod
+  #     actionner: kubernetes:terminate
+  #     parameters:
+  #       ignore_daemonsets: true
+  #       ignore_statefulsets: true
+  #       grace_period_seconds: 2
+
+  #   - action: Label Pod as Suspicious
+  #     actionner: kubernetes:label
+  #     parameters:
+  #       labels:
+  #         analysis/status: "suspicious"
+
+  #   - rule: Terminal shell in container
+  #     match:
+  #       rules:
+  #         - Terminal shell in container
+  #       output_fields:
+  #         - k8s.ns.name!=kube-system, k8s.ns.name!=falco
+  #     actions:
+  #       - action: Label Pod as Suspicious