[Helm Chart] Ignoring certain built-in rules without having to rebuild the chart

falcosecurity / charts

Community managed Helm charts for running Falco with Kubernetes

Apache License 2.0

246 stars 291 forks source link

[Helm Chart] Ignoring certain built-in rules without having to rebuild the chart #750

Closed thatguyatgithub closed 2 months ago

thatguyatgithub commented 2 months ago

Falco lover here! o/

It will be desirable to have a mechanism inline with the Falco's helm chart so you can whitelist or ignore certain rules from being triggered, without having to rebuild falco's image.

I've tried to achieve this through rules.customRules but it seems to somehow built-in rules take precedence, and the custom rules are ignored or have no effect. Maybe I'm doing something wrong?

thanks in advance!

Issif commented 2 months ago

Hi,

here's a snippet to show how to use the customRules value in Helm to disable some rules. The filename doesn't matter:

customRules:
  override-rules.yaml: |-
    - rule: Contact EC2 Instance Metadata Service From Container
      enabled: false
      override:
        enabled: replace
    - rule: Non sudo setuid
      enabled: false
      override:
        enabled: replace

Hope it will help you.

thatguyatgithub commented 2 months ago

Wohooo!!! It did indeed help, thanks a lot @Issif !!!

For anyone out there wondering, terraform cheatsheet:

set {
    name  = "customRules.override-rules"
    value = <<YAML
- rule: "Contact EC2 Instance Metadata Service From Container"
  enabled: false
  override:
    enabled: "replace"
YAML