falco ConfigMap diff in live vs desired state - using ArgoCD

[flickers]

Describe the bug We are using the latest (4.5.1) falco helm chart to deploy falco to our clusters using ArgoCD After a while (minute or so) we see a diff in the live falco configMap vs. desired configMap (rendered from the falco helm chart) Mostly this is due to incorrect indentation but also due to different yaml scalars

How to reproduce it Deploy falco using helm and then compare the falco configMap against the rendered falco configMap. Or deploy using ArgoCD

Expected behaviour We expect the live and desired state to match after we deploy falco using helm and ArgoCD

Screenshots

Environment

• Falco version:

  falco --version
  Tue Jun 25 14:00:56 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
  Tue Jun 25 14:00:56 2024: Falco version: 0.38.1 (x86_64)
  Tue Jun 25 14:00:56 2024: Falco initialized with configuration files:
  Tue Jun 25 14:00:56 2024:    /etc/falco/falco.yaml
  Tue Jun 25 14:00:56 2024: System info: Linux version 5.10.218-208.862.amzn2.x86_64 (mockbuild@ip-10-0-42-214) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) #1 SMP Tue Jun 4 16:52:10 UTC 2024
  {"default_driver_version":"7.2.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"40","engine_version_semver":"0.40.0","falco_version":"0.38.1","libs_version":"0.17.2","plugin_api_version":"3.6.0"}

• System info:

  falco --support | jq .system_info
  Tue Jun 25 13:58:31 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
  Tue Jun 25 13:58:31 2024: Falco version: 0.38.1 (x86_64)
  Tue Jun 25 13:58:31 2024: Falco initialized with configuration files:
  Tue Jun 25 13:58:31 2024:    /etc/falco/falco.yaml
  Tue Jun 25 13:58:31 2024: System info: Linux version 5.10.218-208.862.amzn2.x86_64 (mockbuild@ip-10-0-42-214) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) #1 SMP Tue Jun 4 16:52:10 UTC 2024
  Tue Jun 25 13:58:31 2024: Loading rules from file /etc/falco/falco_rules.yaml
  Tue Jun 25 13:58:31 2024: Loading rules from file /etc/falco/rules.d/datadog-agent-exclude.yaml
  Tue Jun 25 13:58:32 2024: Loading rules from file /etc/falco/rules.d/k8s-api-namespace-exclude.yaml
  Tue Jun 25 13:58:32 2024: Loading rules from file /etc/falco/rules.d/kong-spawn-processes-exclude.yaml
  {
  "machine": "x86_64",
  "nodename": "falco-2b9cd",
  "release": "5.10.218-208.862.amzn2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Tue Jun 4 16:52:10 UTC 2024"
  }

• Cloud provider or hardware configuration:
• OS: EKS - linux
• Kernel: 5.10.218-208.862.amzn2.x86_64
• Installation method: Kubernetes using Helm and ArgoCD

Additional context

[alacuku]

Hi @flickers, when the driver.kind is set to auto, falcoctl will automatically select the optimal driver for Falco. This selection will be updated in the Falco configmap. If you do not want this behavior then set the driver.kind to the desired driver: https://github.com/falcosecurity/charts/blob/7527d0f635bd3a20ece3362fcd8d7b9e418d939a/charts/falco/values.yaml#L184

[leogr]

/assign @alacuku

[alacuku]

Hey @flickers, falcoctl does not update anymore the falco configmap. For more info see: https://github.com/falcosecurity/charts/pull/735.

Let me know if this is still an issue for you.

[gvariola]

Can confirm that this is not an issue now.

[flickers]

Hey @flickers, falcoctl does not update anymore the falco configmap. For more info see: #735.

Let me know if this is still an issue for you.

yeah, no longer an issue now. Thanks

[alacuku]

/close

[poiana]

@alacuku: Closing this issue.

In response to [this](https://github.com/falcosecurity/charts/issues/695#issuecomment-2428487929): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.