falco: when leastPrivileged is true, set the apparmor profile to …

falcosecurity / charts

Community managed Helm charts for running Falco with Kubernetes

Apache License 2.0

245 stars 290 forks source link

falco: when leastPrivileged is true, set the apparmor profile to … #769

Closed doublez13 closed 1 month ago

doublez13 commented 1 month ago

What type of PR is this?

/kind bug /kind chart-release

What this PR does / why we need it: It appears that when setting leastPrivileged: true, apparmor does not not allow falco to ptrace, which appears to leave the container fields null.

Oct 24 09:52:57 hostname kernel: audit: type=1400 audit(1729785177.339:404624): apparmor="DENIED" operation="ptrace" profile="cri-containerd.apparmor.d" pid=2389102 comm="falco" requested_mask="read" denied_mask="read" peer="unconfined"

If leastPrivileged: true, set the apparmor profile to unconfined.

@leogr This just a request for comments, as I'm not sure if this if the best way to solve the issue. Or perhaps there should be an optional field in the helm file that allows specifying a apparmor profile (custom or unconfined.)

Which issue(s) this PR fixes: falcosecurity/falco#3345

Checklist

[ ] Chart Version bumped
[ ] Variables are documented in the README.md
[ ] CHANGELOG.md updated

poiana commented 1 month ago

Welcome @doublez13! It looks like this is your first PR to falcosecurity/charts 🎉

leogr commented 1 month ago

This just a request for comments, as I'm not sure if this if the best way to solve the issue. Or perhaps there should be an optional field in the helm file that allows specifying a apparmor profile (custom or unconfined.)

Hey @doublez13

Thank you for this. I haven't dug into it, but it seems to be the correct approach. I'll do some tests. cc @falcosecurity/charts-maintainers

leogr commented 1 month ago

@doublez13

also, can you bump the chart version? so the test will run :pray:

leogr commented 1 month ago

Hey @doublez13

I'm ok with this fix, so we can go ahead.

To merge this PR, we just need to:

rebase
bump the version again
run make falco-docs (and commit changes)
remove WIP from PR's title.

Let me know if you can do that; otherwise, I will do it for you.

Thank you

doublez13 commented 1 month ago

I'm away from my computer for awhile (just phone). You're welcome to rebase and merge, or I can do it later.

leogr commented 1 month ago

I'm away from my computer for awhile (just phone). You're welcome to rebase and merge, or I can do it later.

I'm rebasing right now.

poiana commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: doublez13, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/charts/blob/master/OWNERS)~~ [leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

poiana commented 1 month ago

LGTM label has been added.

Git tree hash: cc294e786fb73dc8a2b6eb8368e8f7a1eafe810b