Falco's least privileged mode for modern BPF driver does not work

[aarnq]

Experienced behaviour

Should be the mode enabled once modern BPF is selected.

However the templating sets the wrong value, and the podsecuritypolicies are not adapting to the least privileged mode.

Which I guess is lucky, as it works, just in full privileged mode.

Expected behaviour

Least privileged mode should work as expected.

Steps to reproduce

Enable modern-bpf driver in falco, see the pods apply with privileged.

Compliant Kubernetes Apps Version

v0.40

Kubernetes Version

No response

Additional context

The incorrect key is here. It should be modernEbpf, as seen here.

PodSecurityPolicies for falco are found in this file.

Definition of Done

• modernEbpf.leastPrivileged is set correctly.
• Falco PodSecurityPolicies are updated to work with modern-bpf in its least privileged mode.

[Ajarmar]

@aarnq Can you add a bit more context and a definition of done to this issue?

• Why do we need modern-bpf driver/what problem does it solve?
• What needs to be fixed for this to work? Just templates?

[aarnq]

@Ajarmar The modern-bpf driver solve the issue that Falco during runtime needs to download a kernel module driver, or fail if there are no pre built driver for the specific kernel version.

We already expose the config use it, and it currently works, but that is because of a bug.

But another benefit of the modern-bpf driver is that it has a "least privilege" mode, so the Falco container does not need privileged: true and we can constrain its security context by quite a lot compared to the regular kmod driver.

The bug is that the Falco templates tries to set least privilege mode, but on the wrong key so it isn't enabled, and the podsecuritypolicy isn't updated so it wouldn't allow the capabilities it would need, nor constrain the privileged it then doesn't need.

So currently it just set and accept privileged: true.