search

falcosecurity / charts

Community managed Helm charts for running Falco with Kubernetes
Apache License 2.0
246 stars 291 forks source link

rules_file/rules_files not being respected #729

Closed kimberleyhallifax closed 3 months ago

kimberleyhallifax commented 3 months ago

Description

I am attempting to include additional rule files including the sandbox and incubating rules. I'm doing this in a Helm chart using the following documentation here to add the following config:

Screenshot 2024-08-09 at 5 42 32 PM

But my config is not being respected.

How to reproduce it

Here is my Chart.yaml:

apiVersion: v2
description: Intrusion detection using Falco
name: falco
version: 1.1.7
dependencies:
  - name: falco
    version: 4.7.0
    repository: https://falcosecurity.github.io/charts

Here is my values.yaml file:

---
falco:
  falco:
    rules_file:
      - /etc/falco/falco_rules.yaml
      - /etc/falco/falco-incubating_rules.yaml
      - /etc/falco/falco-sandbox_rules.yaml
      - /etc/falco/k8s_audit_rules.yaml
      - /etc/falco/rules.d

  falcoctl:
    config:
      allowed_types: ["rulesfile"]
      artifact:
        install:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]
        follow:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]

I have also tried this with falco Helm chart version 4.7.2 and with rules_files and that did not work either.

Expected behaviour

I expect the falco-incubating_rules.yaml, falco-sandbox_rules.yaml and k8s_audit_rules.yaml rule files to load in my pod, in addition to the default falco_rules.yaml. However, only falco_rules.yaml loads.

Here are my kubernetes pod logs to confirm that only falco_rules.yaml is being loaded:

Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falco-driver-loader (init), falcoctl-artifact-install (init)
Fri Aug  9 02:15:21 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Fri Aug  9 02:15:21 2024: Falco version: 0.38.1 (x86_64)
Fri Aug  9 02:15:21 2024: Falco initialized with configuration files:
Fri Aug  9 02:15:21 2024:    /etc/falco/falco.yaml
Fri Aug  9 02:15:21 2024: System info: Linux version 5.10.219-208.866.amzn2.x86_64 (mockbuild@ip-10-0-35-201) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) falcosecurity/rules#1 SMP Tue Jun 18 14:00:06 UTC 2024
Fri Aug  9 02:15:21 2024: Loading rules from file /etc/falco/falco_rules.yaml

Environment

4.7.0 and 4.7.2

MacOS M1

Darwin VGW0681 23.6.0 Darwin Kernel Version 23.6.0: Fri Jul 5 17:56:41 PDT 2024; root:xnu-10063.141.1~2/RELEASE_ARM64_T6000 arm64

Kubernetes Helm