Plugin k8smeta warning after creating Falco Helm chart with Kubernetes collector enabled

[jfcmartins]

Plugin k8smeta warning after creating Falco Helm chart with Kubernetes collector enabled

When I create Falco Helm chart with Kubernetes k8smeta collector, it displays the following warning:

WARNING:
It seems you are loading the following plugins [k8smeta], please make sure to install them by adding the correct reference to falcoctl.config.artifact.install.refs: [falco-rules:3 ghcr.io/falcosecurity/plugins/plugin/k8smeta:0.1.0]

How to reproduce it

Create Falco Helm chart values file:

values.yaml

rbac:
  create: true

falco:
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco_rules.local.yaml
    - /etc/falco/rules.d

  priority: info
  syscall_event_drops:
    actions:
      - log

  grpc:
    enabled: true
  grpc_output:
    enabled: true

  load_plugins: []

driver:
  enabled: true
  kind: modern_ebpf
  modernEbpf:
    bufSizePreset: 5

collectors:
  enabled: true
  kubernetes:
    enabled: true

controller:
  kind: daemonset

falcosidekick:
  enabled: true
  config:
    debug: true
    slack:
      outputformat: "fields"
      webhookurl: "<redacted>"

Then apply the Helm chart:

helm upgrade -i falco falcosecurity/falco \
  -f values.yaml \
  --version 4.4.0

Expected behaviour

Helm chart warning shouldn't appear for this use case.

Screenshots

Environment

• Falco version: 0.38.0
• System info: Linux version 5.10.198-187.748.amzn2.x86_64(GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1)
• Cloud provider or hardware configuration: AWS EKS
• OS: Debian GNU/Linux 12 (bookworm)
• Kernel: Linux falco-gs4rr SMP Tue Oct 24 19:49:54 UTC 2023 x86_64 GNU/Linux
• Installation method: Kubernetes, Helm

Am I missing something? I really appreciate any help you can provide.

[alacuku]

Hi @jfcmartins, usually the plugins require two steps to be configured in falco:

1. add the reference in the falcoctl section to download the plugin artifact;
2. add the plugin to the falco configuration; Sometimes one of the steps could not be performed hence the warning is there to warn that some plugins have been configured in falco, and the user need to configure them in the falcoctl section.

In the case of the k8s-metacollector + k8smeta plugin the configuration is done by the chart itself so you're right that it could be misleading.

A better way could be to show the warning only when one of the two steps described above is not performed.

[jfcmartins]

Hey @alacuku 👋 thanks for the help. That's what I thought.

What I still don't understand is why this warning appears in the first place, since falco.load_plugins is an empty list on values.yaml https://github.com/falcosecurity/charts/blob/falco-4.4.0/charts/falco/templates/NOTES.txt#L42

[alacuku]

When setting collectors.kubernetes.enabled=true the following helper (https://github.com/falcosecurity/charts/blob/addf0d3cc3dd0b0ffa36fe73992e70d8cbecb1ef/charts/falco/templates/_helpers.tpl#L324-L373) takes care to configure the k8smeta plugin:

1. add the k8smeta plugin's reference to the falcoctl configuration;
2. add the k8smeta plugin's configuration in the falco's configuration;
3. add the k8smeta plugin to the falco.laod_plugins list.

To inspect the templates generated at install time, use the helm template with your values.yaml file.

[jfcmartins]

Thanks @alacuku! Now it makes sense