libk8saudit.so: can't load plugin dynamic library

[myugan]

Describe the bug

When attempting to enable libk8saudit in Falco, the following error occurs:

Runtime error: cannot load plugin /usr/share/falco/plugins/libk8saudit.so: can't load plugin dynamic library: /usr/share/falco/plugins/libk8saudit.so: cannot open shared object file: No such file or directory. Exiting.

The documentation lacks clarity.

How to reproduce it

The cluster is set up using Kubeadm and it uses version 1.29.5.

cat > falco-syscall-k8saudit.yaml<<EOF
driver:
  enabled: true
  kind: ebpf

collectors:
  enabled: true

controller:
  kind: daemonset

services:
  - name: k8saudit-webhook
    type: NodePort
    ports:
      - port: 9765
        nodePort: 30007
        protocol: TCP

falcoctl:
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - rulesfile
        - plugin
      install:
        resolveDeps: false
        refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
      follow:
        refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]

falco:
  load_plugins: [k8saudit, json]
  jsonOutput: true
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d

tty: true
EOF

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco --values=falco-syscall-k8saudit.yaml falcosecurity/falco --version 4.2.2

Expected behaviour

Successfully integrated Kubernetes Audit Logs with Falco.

Screenshots

Environment

• Falco version: 4.2.2
• System info: -
• Cloud provider or hardware configuration:
• OS: Ubuntu
• Kernel: 6.5.0-1020-aws
• Installation method: Helm

Additional context

[Issif]

Hi @myugan,

The behavior you're facing is totally legit and logic.

In the Falco images, neither the rules neither the plugins are present. When you deploy Falco with the Helm chart, a sidecar running Falcoctl is deployed and in charge to do the installation for you. The behavior of Falcoctl is controlled by this block in the values.yaml:

  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - rulesfile
        - plugin
      install:
        resolveDeps: false
        refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
      follow:
        refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]

In your configuration, you install only the falco-rules, the k8saudit-rules and the json plugin:

      install:
        resolveDeps: false
        refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]

Either you specify to install also the k8saudit plugin like this:

      install:
        resolveDeps: false
        refs: [falco-rules:3, k8saudit-rules:0, k8saudit:0, json:0]

Either you enable the resolution of the dependencies, and the right plugin will be installed automatically following the rules:

        resolveDeps: true

[!NOTE] I updated the version of the plugins/rules in my proposals to reflect to specify to use the last tagged versions we propose

[myugan]

Thank you @Issif. I thought it would be installed automatically, but it seems I missed defining it, which is why it wasn't working. Now it's working fine, thanks!

[FedeDP]

/milestone 0.39.0 /close

[poiana]

@FedeDP: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/3261#issuecomment-2205563402): >/milestone 0.39.0 >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.