search

falcosecurity / falcosidekick-ui

A simple WebUI with latest events from Falco
Apache License 2.0
110 stars 16 forks source link

No data is displayed in falcosidekick-ui website #133

Closed amgonzalezf closed 7 months ago

amgonzalezf commented 7 months ago

I installed falcosidekick with falcosidekick-ui enabled but I don't see any data in the UI. I installed falco, falcosidekick and falcosidekick-ui with their helm charts.

Steps to reproduce:

  1. Install the version 3.8.7 of the helm chart of falco with these values:

    driver:
kind: modern-bpf
tty: true
falcoctl:
config:
artifact:
  install:
    refs: [falco-rules:2, k8saudit-rules:0.6]
  follow:
    refs: [falco-rules:2, k8saudit-rules:0.6]
services:
- name: k8saudit-webhook
type: NodePort
ports:
  - port: 9765
    nodePort: 30007
    protocol: TCP
falco:
rules_file:
- /etc/falco/falco_rules.yaml
- /etc/falco/k8s_audit_rules.yaml
- /etc/falco/rules.d
load_plugins: [k8saudit, json]

  2. Install the version 0.7.11 of the helm chart of falcosidekick with these values:

    webui:
enabled: true
user: "test:test"
ingress:
enabled: true
annotations:
  cert-manager.io/cluster-issuer: letsencrypt-http
  kubernetes.io/ingress.class: nginx
hosts:
- host: falco.test.de
  paths:
  - path: /
    pathType: Prefix
tls:
- hosts:
  - falco.test.de
  secretName: falco-tls

    Expected behaviour: After the installation of the components, data should be visible in falcosidekick-ui. I can see events happening in the logs of the pods of falco, but I can't see them in the website of falcosidekick-ui

Screenshots image

Versions:

Issif commented 7 months ago

Hi,

To install the whole stack, you have 2 choices:

The easiest way is to install the falco chart only with the setting to enable sidekick.

Here's the values.yaml with your config:

driver:
  kind: modern-bpf
tty: true
falcoctl:
  config:
    artifact:
      install:
        refs: [falco-rules:2, k8saudit-rules:0.6]
      follow:
        refs: [falco-rules:2, k8saudit-rules:0.6]
services:
  - name: k8saudit-webhook
    type: NodePort
    ports:
      - port: 9765
        nodePort: 30007
        protocol: TCP
falco:
  rules_file:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/rules.d
  load_plugins: [k8saudit, json]

falcosidekick:
  enabled: true
  webui:
    enabled: true
    user: "test:test"
    ingress:
      enabled: true
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-http
        kubernetes.io/ingress.class: nginx
      hosts:
      - host: falco.test.de
        paths:
        - path: /
          pathType: Prefix
      tls:
      - hosts:
        - falco.test.de
        secretName: falco-tls
amgonzalezf commented 7 months ago

Hi @Issif,

I used the values that you proposed and now it works. But I think that the default values.yaml file of the helm chart of falco should be updated. There is no mention to the fields falcosidekick.webui:

image

So my first assumption would be that those fields don't exist (which is what I was assuming all this time). Then, even if somehow I realize that those fields exist, in the the values.yaml file we can read For configuration values, see https://github.com/falcosecurity/charts/blob/master/falcosidekick/values.yaml. I went to that URL and I see this:

image

amgonzalezf commented 7 months ago

So first I couldn't know that those fields exist and even if I knew it I couldn't find documentation about which fields exist and how to configure them.

amgonzalezf commented 7 months ago

Thanks for your quick reply and your help by the way =)

Issif commented 7 months ago

The charts has been moved, this is why the link is not valid anymore, I'll fix that with a next release. Thanks

Concerning the list of the values, everything is explained in the readme: https://github.com/falcosecurity/charts/tree/master/charts/falco#deploy-falcosidekick-with-falco (the link must be updated too).