falco-sidekick and falco-sidekick fail to start on OpenShift 4.12 with a security context constraint violation

[tosmi]

Describe the bug

Deployment of falco-sidekick and falco-sidekick-ui with Helm chart version 3.8.0 fails because of wrong security context constraints:

Error creating: pods "falco-falcosidekick-7cfbbbf89f-" is forbidden: unable to validate against any security context constraint

In OpenShift 4.12 the default security context constraint is restricited so pods with a specific user ID will fail (https://github.com/falcosecurity/falcosidekick/blob/master/Dockerfile#L12).

We documented our current fix here: https://blog.stderr.at/openshift/2023-10-23-openshift-falco/#headline-5

The fix is to grant the service accounts falcosidekick and falcosidekick-ui access to the nonroot security context constraint (SCC).

will try to come up with a pull request for the chart.

How to reproduce it

Deploy falco and enable falco-sidekick and falco-sidekick, like in the values file below:

driver:
  kind: ebpf
  loader:
    initContainer:
      image:
        repository: falcosecurity/falco-driver-loader-legacy

falco:
  json_output: true
  json_include_output_property: true
  log_syslog: false
  log_level: info

falcosidekick:
  enabled: true
  webui:
    enabled: true

Expected behaviour

falco-sidekick and falco-sidekick-ui pods should be able to start

Environment

OpenShift 4.12 with Falco 0.36.1 deployed with Helm chart 3.8.0

• Falco version: Wed Oct 25 06:55:19 2023: Falco version: 0.36.1 (x86_64) Wed Oct 25 06:55:19 2023: Falco initialized with configuration file: /etc/falco/falco.yaml {"default_driver_version":"6.0.1+driver","driver_api_version":"5.0.0","driver_schema_version":"2.0.0","engine_version":"26","falco_version":"0.36.1","libs_version":"0.13.2","plugin_api_version":"3.1.0"}
• System info: Wed Oct 25 06:55:41 2023: Falco version: 0.36.1 (x86_64) Wed Oct 25 06:55:41 2023: Falco initialized with configuration file: /etc/falco/falco.yaml Wed Oct 25 06:55:41 2023: Loading rules from file /etc/falco/falco_rules.yaml Wed Oct 25 06:55:41 2023: Loading rules from file /etc/falco/rules.d/rules-tty-commands.yaml { "machine": "x86_64", "nodename": "falco-8nvl2", "release": "4.18.0-372.73.1.el8_6.x86_64", "sysname": "Linux", "version": "#1 SMP Fri Sep 8 13:16:27 EDT 2023" }
• Cloud provider or hardware configuration: OpenShift 4.12 deployed in AWS
• OS: NAME="Red Hat Enterprise Linux CoreOS" ID="rhcos" ID_LIKE="rhel fedora" VERSION="412.86.202309200923-0" VERSION_ID="4.12" PLATFORM_ID="platform:el8" PRETTY_NAME="Red Hat Enterprise Linux CoreOS 412.86.202309200923-0 (Ootpa)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:redhat:enterprise_linux:8::coreos" HOME_URL="https://www.redhat.com/" DOCUMENTATION_URL="https://docs.openshift.com/container-platform/4.12/" BUG_REPORT_URL="https://access.redhat.com/labs/rhir/" REDHAT_BUGZILLA_PRODUCT="OpenShift Container Platform" REDHAT_BUGZILLA_PRODUCT_VERSION="4.12" REDHAT_SUPPORT_PRODUCT="OpenShift Container Platform" REDHAT_SUPPORT_PRODUCT_VERSION="4.12" OPENSHIFT_VERSION="4.12" RHEL_VERSION="8.6" OSTREE_VERSION="412.86.202309200923-0"
• Kernel: Linux ip-10-0-182-18 4.18.0-372.73.1.el8_6.x86_64 #1 SMP Fri Sep 8 13:16:27 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
• Installation method: Helm via Kustomize

[Issif]

Hi @tosmi,

The USER 1234 in the Dockerfiles was introduced for the now deprecated PSP. We should think about removing them I guess. For OpenShift, I recently had a discussion with some SRE, and they thought about proposing several "profiles" to auto-set values for specific envs (Openshift, EKS, AKS, GKE, ...), it could a long term solution. Your PR for OS will be welcome anyway, and thank you for your blog post.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/charts/issues/569#issuecomment-2016611799): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.