search

falcosecurity / charts

Community managed Helm charts for running Falco with Kubernetes
Apache License 2.0
243 stars 288 forks source link

GKE error installing with ebpf.enabled=true using helm charts 2.0.0+ #399

Closed mlgualtieri closed 2 years ago

mlgualtieri commented 2 years ago

Describe the bug

Installing falco into a GKE cluster using the provided helm charts, version 2.0.0 or greater produces an error installing the eBPF driver. Helm chart version 1.19.4 works as expected. It appears based on the logs that the 2.0 charts don't detect the eBPF option and tries to instead build the kernel module.

How to reproduce it

Describing the pod shows these events:

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  50s                default-scheduler  Successfully assigned falco/falco-45vhb to gke-mike-falco-test-clus-default-pool-50d8e653-p6tg
  Normal   Pulling    49s                kubelet            Pulling image "docker.io/falcosecurity/falco-driver-loader:0.32.1"
  Normal   Pulled     33s                kubelet            Successfully pulled image "docker.io/falcosecurity/falco-driver-loader:0.32.1" in 16.136803188s
  Normal   Created    15s (x3 over 33s)  kubelet            Created container falco-driver-loader
  Normal   Started    15s (x3 over 33s)  kubelet            Started container falco-driver-loader
  Normal   Pulled     15s (x2 over 29s)  kubelet            Container image "docker.io/falcosecurity/falco-driver-loader:0.32.1" already present on machine
  Warning  BackOff    1s (x3 over 28s)   kubelet            Back-off restarting failed container

The following logs from the falco-driver-loader pod shows that after not finding the driver for download, it also can't compile the driver.

$ kubectl logs falco-45vhb -n falco -c falco-driver-loader
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.32.1, driver version=2.0.0+driver
* Running falco-driver-loader with: driver=module, compile=yes, download=yes

================ Cleaning phase ================

* 1. Check if kernel module 'falco' is still loaded:
- OK! There is no 'falco' module loaded.

* 2. Check all versions of kernel module 'falco' in dkms:
- There are some versions of 'falco' module in dkms.

* 3. Removing all the following versions from dkms:
2.0.0+driver

- Removing 2.0.0+driver...

------------------------------
Deleting module version: 2.0.0+driver
completely from the DKMS tree.
------------------------------
Done.

- OK! Removing '2.0.0+driver' succeeded.

[SUCCESS] Cleaning phase correctly terminated.

================ Cleaning phase ================

* Looking for a falco module locally (kernel 5.10.109+)
* Trying to download a prebuilt falco module from https://download.falco.org/driver/2.0.0%2Bdriver/x86_64/falco_cos_5.10.109%2B_1.ko
curl: (22) The requested URL returned error: 404 
Unable to find a prebuilt falco module
* Trying to dkms install falco module with GCC /usr/bin/gcc
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"

Creating symlink /var/lib/dkms/falco/2.0.0+driver/source ->
                 /usr/src/falco-2.0.0+driver

DKMS: add completed.
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc)
* Trying to dkms install falco module with GCC /usr/bin/gcc-8
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc-8)
* Trying to dkms install falco module with GCC /usr/bin/gcc-6
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc-6)
* Trying to dkms install falco module with GCC /usr/bin/gcc-5
DIRECTIVE: MAKE="'/tmp/falco-dkms-make'"
* Running dkms build failed, couldn't find /var/lib/dkms/falco/2.0.0+driver/build/make.log (with GCC /usr/bin/gcc-5)
* Trying to load a system falco module, if present
Consider compiling your own falco driver and loading it or getting in touch with the Falco community

Expected behaviour

The following command works and installs Falco into the cluster:

helm install falco falcosecurity/falco -n falco --version 1.19.4 --set ebpf.enabled=true --values values.yaml

Logs from this look like:

$ kubectl logs falco-4lwcs -n falco
* Setting up /usr/src links from host
* Running falco-driver-loader for: falco version=0.32.0, driver version=39ae7d40496793cf3d3e7890c9bbdc202263836b
* Running falco-driver-loader with: driver=bpf, compile=yes, download=yes
* Mounting debugfs
* Trying to download a prebuilt eBPF probe from https://download.falco.org/driver/39ae7d40496793cf3d3e7890c9bbdc202263836b/falco_cos_5.10.109%2B_1.o
curl: (22) The requested URL returned error: 404 
Unable to find a prebuilt falco eBPF probe
* COS detected (build 16623.171.20), using COS kernel headers
* Found kernel config at /proc/config.gz
* Downloading https://storage.googleapis.com/cos-tools/16623.171.20/kernel-headers.tgz
* Extracting kernel sources
* Configuring kernel
* Trying to compile the eBPF probe (falco_cos_5.10.109+_1.o)
...

Environment

alacuku commented 2 years ago

Hi @mlgualtieri, starting from chart 2.0.0 the ebpf probe can be enabled by setting the driver mode to ebpf: driver.kind=ebpf. The new chart has been heavily refactored and some configuration variables in values.yaml file have been moved around or renamed. Please have a look at the new values.yaml file: https://github.com/falcosecurity/charts/blob/master/falco/values.yaml.

mlgualtieri commented 2 years ago

Thank you, that did the trick! I was following the old documentation for the installation process. Installation worked after pulling down the values.yaml from the latest release, and changing the drivers section to be:

driver:
  enabled: true
  kind: ebpf
helm install falco falcosecurity/falco -n falco --values values.yaml