search

falcosecurity / falco-talon

Response Engine for managing threats in your Kubernetes
https://docs.falco-talon.org
Apache License 2.0
137 stars 13 forks source link

Custom talon rules not working #491

Open leofvo opened 1 month ago

leofvo commented 1 month ago

Hello,

I'm trying to POC falco and talon on local environment and I can't figure out how to custom talon rules. You can find the whole code used here

Following the README and the Falco part only (on my projet), I set up Falco, falco-sidekick and falco-talon. All working, except when I try to make custom rules for talon. It seems that if I overwrite this part:

# -- config of Falco Talon (See https://docs.falco-talon.org/docs/configuration/)
config:
  # -- list of locale rules to load, they will be concatenated into a single config map
  rulesFiles:
    - rules/talon.yaml

The rules aren't loaded anymore, and my custom rules aren't loaded, too. The configmap created is empty as follows: 

k describe configmap -n falco falco-talon-rules                                              
Name:         falco-talon-rules
Namespace:    falco
Labels:       app.kubernetes.io/instance=falco-talon
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=falco-talon
              app.kubernetes.io/part-of=falco-talon
              app.kubernetes.io/version=0.1.1
              helm.sh/chart=falco-talon-0.1.2
Annotations:  meta.helm.sh/release-name: falco-talon
              meta.helm.sh/release-namespace: falco

Data
====
rules.yaml:
----

BinaryData
====

I think this is a helm chart issues that the path used to get the file content isn't relative or something like that. How can I handle that ?

Issif commented 1 month ago

Hi,

This is a limitation I also noticed, and I'm working on a fix. For now, the listed rules files must be in the same folder as the values.yaml and only relative paths must be used (ie: no path and just the file name). Sorry for that, the helm features to manage files are not really great and all my devs have been made with local files, this is why I noticed this issue lately.

leofvo commented 1 month ago

Yeah, here is what I understood reading the configmap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "falco-talon.name" . }}-rules
  labels:
    {{- include "falco-talon.labels" . | nindent 4 }}
data:
  rules.yaml: |-
{{- range $file := .Values.config.rulesFiles -}}
{{ $fileContent := $.Files.Get . }}
{{- $fileContent | nindent 4 -}}
{{- end -}}

$.Files.Get is used to retrieve the content of a file from the chart.

So if we provide a file not directly included in the chart, the helm function isn't reading the content...

Maybe we should allow user to pass rules directly from the chart, like falco is doing (cf: https://falco.org/docs/rules/custom-ruleset/) By adding a field like:

customRules:
  talon-rules.yaml: |-
    - rule: Example rule
      desc: ...

I would be excited to contribute to the project and implement this if you're agreeing.

Otherwise, I think a better way to improve the rules customization could be by adding rules via CRDs, like Kyverno does. But this seems to be harder to implement.

Issif commented 1 month ago

Your contribution will be welcome for sure, just take care, the official chart is https://github.com/falcosecurity/charts/tree/master/charts/falco-talon, the chart included in this repo will be removed soon.

For the operator, it's already a WIP, with @alacuku we'll work on an operator to manage falco, its plugins and rules, but also the integrations with falcosidekick and the reactions with talon, all in a consistent way.

leofvo commented 1 month ago

I proposed a fix and some improvements 🚀 Thanks for your help!