Closed myugan closed 3 months ago
Hi @myugan,
The behavior you're facing is totally legit and logic.
In the Falco images, neither the rules neither the plugins are present. When you deploy Falco with the Helm chart, a sidecar running Falcoctl is deployed and in charge to do the installation for you. The behavior of Falcoctl is controlled by this block in the values.yaml:
artifact:
install:
enabled: true
follow:
enabled: true
config:
artifact:
allowedTypes:
- rulesfile
- plugin
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
follow:
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
In your configuration, you install only the falco-rules
, the k8saudit-rules
and the json
plugin:
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0.5, json:0.6]
Either you specify to install also the k8saudit
plugin like this:
install:
resolveDeps: false
refs: [falco-rules:3, k8saudit-rules:0, k8saudit:0, json:0]
Either you enable the resolution of the dependencies, and the right plugin will be installed automatically following the rules:
resolveDeps: true
[!NOTE] I updated the version of the plugins/rules in my proposals to reflect to specify to use the last tagged versions we propose
Thank you @Issif. I thought it would be installed automatically, but it seems I missed defining it, which is why it wasn't working. Now it's working fine, thanks!
/milestone 0.39.0 /close
@FedeDP: Closing this issue.
Describe the bug
When attempting to enable libk8saudit in Falco, the following error occurs:
The documentation lacks clarity.
How to reproduce it
The cluster is set up using Kubeadm and it uses version 1.29.5.
Expected behaviour
Successfully integrated Kubernetes Audit Logs with Falco.
Screenshots
Environment
Additional context