search

falcosecurity / cncf-green-review-testing

Falco configurations intended for testing with the CNCF Green Reviews Working Group
Apache License 2.0
2 stars 2 forks source link

Check CNCF Green Reviews Cluster and Setup Requirements for Falco #2

Closed incertum closed 7 months ago

incertum commented 9 months ago

See https://github.com/falcosecurity/cncf-green-review-testing?tab=readme-ov-file#summary-cncf-green-reviews-cluster-requirements

Knode Falco Driver Namespace Node Selector
knode A modern-ebpf falco cncf-project: "falco"
cncf-project-sub: "falco-driver-modern-ebpf"
knode B ebpf falco cncf-project: "falco"
cncf-project-sub: "falco-driver-ebpf"
knode C kmod falco cncf-project: "falco"
cncf-project-sub: "falco-driver-kmod"
Knode Kernel Version Requirement Additional Requirements BPF Stats Enabled
knode A >= 5.8 eBPF supported 1
knode B >= 4.14 eBPF supported, kernel headers installed 1
knode C >= 2.6.32 DKMS package and kernel headers installed N/A

Notes:

Clarify each item with the CNCF Green Reviews Working Group, especially the nodeSelector.

CC @nikimanoledaki

poiana commented 9 months ago

There is not a label identifying the kind of this issue. Please specify it either using /kind <group> or manually from the side menu.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
rossf7 commented 8 months ago

@incertum Thanks for writing this up and I agree this is where we need to align.

For both bpf and kmod, additional host mounts are required, such as /usr/src/kernels/ and /lib/modules. Please refer to the respective daemonset configuration for more details.

k3s comes with a local-path-provisioner that supports hostPath. So you should be able to add these mounts. If that doesn't work we can investigate alternatives.

We anticipate containerd to be the container runtime socket located at /run/containerd/containerd.sock.

Yes, the knodes will all have containerd (default for k3s)

cncf-project: "falco" cncf-project-sub: "falco-driver-modern-ebpf"

I like the project label and the sub label adds flexibility. We might need more labels later but this is a great starting point IMO.

For the kernel version requirements Equinix Metal has a pretty wide selection of supported OSes

We're using ubuntu 22.04 but we can easily specify an alternative OS in the tofu automation. Does that provide you enough control for the kernel version?

 k get no wg-green-reviews-worker-a-fhnpf -o wide
NAME                              STATUS   ROLES    AGE   VERSION   INTERNAL-IP    EXTERNAL-IP     OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
wg-green-reviews-worker-a-fhnpf   Ready    <none>   79d   v1.28.2   10.78.49.131   147.28.134.57   Ubuntu 22.04.3 LTS   5.15.0-84-generic   containerd://1.6.24

Lastly I have a concern on how much Equinix resources we will need. Can we start with knode A with modern-bpf while we develop the pipeline?

We can then add more knodes but I think we should consider provisioning knodes on demand for the duration of the test. So we consume less resources and the approach is more scalable as we onboard more projects.

@nikimanoledaki @AntonioDiTuri Please also chime in with your thoughts on this.

incertum commented 8 months ago

Can we start with knode A with modern-bpf while we develop the pipeline?

We would love this approach, also easier for us.

[By the way I forgot to add "Kernel headers installed" as requirement for the other drivers. We will update our docs shortly. And I noticed still some minor naming hiccups it should now be consistently modern-ebpf, my bad]

ubuntu 22.04

Perfect works for us!

Yes, the knodes will all have containerd (default for k3s)

@rossf7 mind double-checking the exact path of the socket? Would appreciate it a lot, is it (1) /run/containerd/containerd.sock or (2) /run/k3s/containerd/containerd.sock? Thanks in advance!

I like the project label and the sub label adds flexibility. We might need more labels later but this is a great starting point IMO.

Great, yes I think we can very easily change or add new labels!

rossf7 commented 8 months ago

@incertum That's great, thank you.

The socket path is /run/k3s/containerd/containerd.sock

incertum commented 8 months ago

Thanks! I'll update the docs once we tag the next release containers and state /run/k3s/containerd/containerd.sock instead.

nikimanoledaki commented 8 months ago

What is left for this issue? :)

incertum commented 8 months ago

Now that I have access to the falco pods, plz allow me to check a few things.

In addition, do we want to mark this as complete and open a new issue once we tackle the other 2 drivers Falco has? Ok for us.

incertum commented 7 months ago

Had a chance to inspect a few things, LGTM. We can refer to this issue in the future when we test the remaining 2 drivers.